# Information disclosure

* **it’s a vulnerability that happen when website leak important data and hacker find a lot of thing :**
  1. Data about other users, such as usernames or financial information
  2. Sensitive commercial or business data
  3. Technical details about the website and its infrastructure
* **occurs when an application fails to properly protect sensitive information, giving users access to information they shouldn’t have available**

### &#x20;💡 **Examples of information disclosure**&#x20;

1. get hidden directories, their structure, and their contents via a **`robots.txt`** file
2. **`source code` ⇒ ( .git - .backup - .old ,,,,,)**
3. **`backup files` ⇒ ( zip - tar - RAR ,,, )**
4. **`Hidden Files:` ⇒** files that start with **`.` like `.hidden.php` get it with `ls -lah`**
5. **`Github search` ⇒** found files like **`ssh keys` or `api` or `token`**
6. **`internal IP addresses`**
7. website mentioning database table or column names in error messages
8. show sensitive information, such as credit card details

### 💡 **How can it happen ?**

1. **developer doesn’t remove internal content from public content.**
2. **Insecure configuration of the website and related technologies**
   1. by displaying verbose information from error messages about website
3. **Flawed design and behavior of the application :**
   1. For example, if a website returns responses with different error ,, it happen when we make brute force login page with usernames

### &#x20;💡 **impact of information disclosure vulnerabilities ?**

1. **have a high impact on the users like** : online shop leaking its customers' credit card details
2. leaking technical information : directory structure - frameworks are being used
3. leak source code or get to internal structure like found ssh key to internal server\<aside>&#x20;

### 💡 **How to test for information disclosure vulnerabilities :**

* 1- [Fuzzing](https://portswigger.net/web-security/information-disclosure/exploiting#fuzzing)
  1. identify interesting parameters automate this process ( Burp Intruder )
  2. Add payload positions to parameters and use pre-built wordlists of fuzz
  3. identify differences in responses by comparing HTTP status codes, response times, lengths
  4. use the [Logger++](https://portswigger.net/bappstore/470b7057b86f41c396a97903377f3d81) extension, in addition to logging requests and responses from all of Burp's tools, **it allows you to define advanced filters for highlighting interesting entries**.
* 2- [Using Burp pro Scanner](https://portswigger.net/web-security/information-disclosure/exploiting#using-burp-scanner)
  1. you can schedule automated scans to crawl and audit the target site
  2. Burp Scanner will alert you if it finds sensitive information such as private keys, email addresses, and credit card and backup files, directory listings in a response
* 3- [Using Burp's engagement tools](https://portswigger.net/web-security/information-disclosure/exploiting#using-burp-s-engagement-tools)
  1. **Search** :
     1. use this tool to look for any expression within the selected item.
     2. find results using various advanced search options, such as regex search or negative search.
  2. **Find comments**
     1. use this tool to quickly extract any developer comments found in the selected item.
     2. It also provides tabs to instantly access the HTTP request/response cycle in which each comment was found
  3. **Discover content :**
     1. this tool to **identify additional content and functionality** that is not linked from the website's visible content.
     2. f**inding additional directories and files** that **won't necessarily appear in the site map automatically.**
* 4- [Engineering informative responses](https://portswigger.net/web-security/information-disclosure/exploiting#engineering-informative-responses)
  1. error messages can sometimes disclose interesting information while you test
  2. we take the second step depend on the error message

&#x20;

### Methods for test :&#x20;

1. **web crawlers :**
   1. many website provide `**/robots.txt**` and `**/sitemap.xml**` to help crawlers navigate their site. they may contain sensitive information.
   2. some times burp don’t get in site map then we can \*\*\*\* access manually
2. **Directory listing**
   1. Web servers can be configured to automatically list the contents of directories that do not have an index page present
   2. after identify the resources at a given path , attacker directly to analyzing and attacking those resources
   3. Important note : Directory listings themselves are **not necessarily a security vulnerability**. but , if the website also **fails to implement proper access control, it lead to** **leaking sensitive resources** in this way is clearly an issue.
3. **Developer comments :**
   1. sometimes developer forget comments or leave it deliberately
   2. developer must delete this comment before changing in production environment. because it **might lead to hidden directories**
   3. we can easily be accessed using Burp , or page source
4. **Error messages :**

   1. error messages can return information about what input or data type is expected from a given parameter
   2. This can help you to narrow down your attack by identifying exploitable parameters.
   3. Information can be : name a template engine, database type, or server that the website is using and version number
      1. you can easily **search for any documented exploits** that may exist for this version
      2. check whether there are any common configuration errors or dangerous default settings
   4. if website is using some kind of open-source framework ? . you can study the publicly available source code
   5. **Debugging data :**
      * many websites generate custom error messages and logs that contain large amounts of information **about the application's behavior**.
      * it is also extremely useful to an attacker if it is leaked in the production environment it can contain information like
        * Values for key session variables that can be manipulated via user input
        * Hostnames and credentials for back-end components
        * File and directory names on the server
        * secret Keys used to encrypt data transmitted via the client

   6- **Source code disclosure via backup files :**

   * make it easier for an attacker to understand the application's behavior and construct high-severity attacks
   * Sensitive data is sometimes even hard-coded within the source code. like : API keys and credentials for accessing back-end components.
   * When **mapping out a website**, you `might find some source code files` such as `.php`

&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kero0x1.gitbook.io/general/web-vulnerabilities/information-disclosure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.