Post

Information Disclosure Vulnerabilities

Posted
By Shervoni
4 min read
Information Disclosure Vulnerabilities

What is Information Disclosure?

Information disclosure, also known as information leakage, occurs when a website unintentionally reveals sensitive information to its users. Depending on the context, websites may leak all kinds of information to a potential attacker, including:

  • Data about other users, such as usernames or financial information
  • Sensitive commercial or business data
  • Technical details about the website and its infrastructure

Examples of Information Disclosure

Some basic examples of information disclosure are as follows:

  • Revealing the names of hidden directories, their structure, and their contents via a robots.txt file or directory listing
  • Providing access to source code files via temporary backups
  • Explicitly mentioning database table or column names in error messages
  • Unnecessarily exposing highly sensitive information, such as credit card details
  • Hard-coding API keys, IP addresses, database credentials, and so on in the source code
  • Hinting at the existence or absence of resources, usernames, and so on via subtle differences in application behavior

In this topic, you will learn how to find and exploit some of these examples and more.

How to Prevent Information Disclosure Vulnerabilities

Preventing information disclosure entirely is tricky due to the wide variety of ways it can occur. However, there are some general best practices that you can follow to minimize the risk of these vulnerabilities creeping into your websites:

  • Make sure everyone understands what is sensitive: Ensure everyone involved in producing the website knows what information is considered sensitive. Sometimes seemingly harmless information can be much more useful to an attacker than people realize.
  • Audit code for potential information disclosure: Make sure you regularly audit code for possible information leaks as part of your QA or build processes. Automating tasks like stripping developer comments can help.
  • Use generic error messages: Avoid providing attackers with clues about the application’s behavior unnecessarily.
  • Disable debugging features: Double-check that any debugging or diagnostic features are disabled in the production environment.
  • Review third-party configurations: Fully understand the configuration settings and security implications of any third-party technology you implement. Investigate and disable any features or settings that you don’t need.

High-Level Techniques and Tools

  • Fuzzing:
    • Submit unexpected data types and fuzz strings to uncover subtle hints about the application.
    • Monitor differences in responses, HTTP status codes, and processing times.
  • Burp Suite:
    • Use Intruder for fuzzing parameters and analyzing responses.
    • Enable grep extraction rules to detect sensitive keywords like SELECT, error, or debug.
    • Utilize the Logger++ extension for enhanced request/response tracking.
  • Engagement Tools:
    • Use tools like Discover Content, Find Comments, and Search in Burp to locate hidden or sensitive data.

Common Sources of Information Disclosure

Here are common areas to check for exposed sensitive data:

1. Files for Web Crawlers

  • Targets: /robots.txt, /sitemap.xml.
  • Description: These files guide crawlers and may list directories to avoid, which could contain sensitive information.
  • Example Payloads:
    • /robots.txt
    • /sitemap.xml
    • /hidden-directory/robots.txt

2. Directory Listings

  • Targets: Unsecured directories without an index.html or proper access controls.
  • Description: Exposes contents of directories, including temporary files and dumps.
  • Example Payloads:
    • /tmp/
    • /backup/
    • /debug/

3. Developer Comments

  • Targets: Inline HTML comments or code remnants.
  • Description: Comments can reveal hints about logic, hidden endpoints, or sensitive details.
  • How to Detect: Use Burp’s Find Comments tool or inspect source code in developer tools.

4. Error Messages

  • Targets: Verbose error messages in response to invalid inputs.
  • Description: Error messages may expose database types, file paths, stack traces, or sensitive variables.
  • How to Test:
    • Submit invalid data and observe detailed responses.
    • Look for specific technologies or versions in stack traces.

5. Debugging Data

  • Targets: Debug logs, error pages, or verbose responses.
  • Description: May leak session variables, encryption keys, file paths, or system credentials.
  • Example Payloads:
    • /debug
    • /logs/error.log
    • /phpinfo.php

6. User Account Pages

  • Targets: User profile or account settings endpoints.
  • Description: Leaks sensitive user data such as email, API keys, or tokens due to logic flaws.
  • Example Payloads:
    • /user/profile?id=123
    • /account/settings

7. Backup Files

  • Targets: Backup or temporary files.
  • Description: Backup files often contain sensitive information, including source code or database snapshots.
  • Example Payloads:
    • /index.php~
    • /config.bak
    • /db_backup.sql

8. Insecure Configuration

  • Targets: Misconfigured servers or exposed debug features.
  • Description: May reveal HTTP TRACE methods, sensitive headers, or diagnostic output.
  • Example Payloads:
    • TRACE /
    • /server-status
    • /debug

9. Version Control History

  • Targets: Exposed .git or .svn directories.
  • Description: Version control history can expose source code, API keys, or credentials.
  • Example Payloads:
    • /.git/
    • /.svn/

How to Exploit Information Disclosure

1. Fuzzing Parameters

  • Use Burp Intruder to fuzz parameters with unexpected data or crafted payloads.
  • Monitor responses for errors or hints about backend systems.
  • Example Payloads:
    • id=../../etc/passwd
    • debug=true
    • config=1

2. Exploiting Error Messages

  • Submit invalid input to trigger verbose error messages.
  • Focus on:
    • Revealed stack traces.
    • Named technologies (e.g., “MySQL”, “PostgreSQL”).
    • File paths and environment details.

3. Accessing Backup Files

  • Request common backup file extensions directly.
  • Example Payloads:
    • /config.php.bak
    • /settings.json~
    • /backup.tar.gz

4. Harvesting Debug Information

  • Inspect debug logs and responses for credentials, session variables, or keys.
  • Example Endpoints:
    • /logs/errors.log
    • /debug/logs

5. Leveraging Git Metadata

  • Access .git/ directories and retrieve source code.
  • Use tools like GitDumper to clone repositories from .git.

Common Payloads for Information Disclosure

Robots.txt and Sitemap.xml

  • /robots.txt
  • /sitemap.xml
  • /hidden/robots.txt

Directory Listings

  • /backup/
  • /debug/
  • /temp/

Backup and Temp Files

  • /index.php~
  • /config.bak
  • /db_backup.sql

Debug Endpoints

  • /debug
  • /phpinfo.php
  • /logs/errors.log

Version Control Files

  • /.git/
  • /.svn/
  • /repo/.git/
Web Security
Information Disclosure PortSwigger
This post is licensed under CC BY 4.0 by the author.