😍Information disclosure

• it’s a vulnerability that happen when website leak important data and hacker find a lot of thing :

  1. Data about other users, such as usernames or financial information

  2. Sensitive commercial or business data

  3. Technical details about the website and its infrastructure

• occurs when an application fails to properly protect sensitive information, giving users access to information they shouldn’t have available

💡 Examples of information disclosure

1. get hidden directories, their structure, and their contents via a robots.txt file

2. source code ⇒ ( .git - .backup - .old ,,,,,)

3. backup files ⇒ ( zip - tar - RAR ,,, )

4. Hidden Files: ⇒ files that start with . like .hidden.php get it with ls -lah

5. Github search ⇒ found files like ssh keys or api or token

6. internal IP addresses

7. website mentioning database table or column names in error messages

8. show sensitive information, such as credit card details

💡 How can it happen ?

1. developer doesn’t remove internal content from public content.

2. Insecure configuration of the website and related technologies

   1. by displaying verbose information from error messages about website

3. Flawed design and behavior of the application :

   1. For example, if a website returns responses with different error ,, it happen when we make brute force login page with usernames

💡 impact of information disclosure vulnerabilities ?

1. have a high impact on the users like : online shop leaking its customers' credit card details

2. leaking technical information : directory structure - frameworks are being used

3. leak source code or get to internal structure like found ssh key to internal server<aside>

💡 How to test for information disclosure vulnerabilities :

• 1- Fuzzing

  1. identify interesting parameters automate this process ( Burp Intruder )

  2. Add payload positions to parameters and use pre-built wordlists of fuzz

  3. identify differences in responses by comparing HTTP status codes, response times, lengths

  4. use the Logger++ extension, in addition to logging requests and responses from all of Burp's tools, it allows you to define advanced filters for highlighting interesting entries.
• 2- Using Burp pro Scanner

  1. you can schedule automated scans to crawl and audit the target site

  2. Burp Scanner will alert you if it finds sensitive information such as private keys, email addresses, and credit card and backup files, directory listings in a response

• 3- Using Burp's engagement tools

  1. Search :

     1. use this tool to look for any expression within the selected item.

     2. find results using various advanced search options, such as regex search or negative search.

  2. Find comments

     1. use this tool to quickly extract any developer comments found in the selected item.

     2. It also provides tabs to instantly access the HTTP request/response cycle in which each comment was found

  3. Discover content :

     1. this tool to identify additional content and functionality that is not linked from the website's visible content.

     2. finding additional directories and files that won't necessarily appear in the site map automatically.

• 4- Engineering informative responses

  1. error messages can sometimes disclose interesting information while you test

  2. we take the second step depend on the error message

Methods for test :

1. web crawlers :

   1. many website provide **/robots.txt** and **/sitemap.xml** to help crawlers navigate their site. they may contain sensitive information.

   2. some times burp don’t get in site map then we can **** access manually

2. Directory listing

   1. Web servers can be configured to automatically list the contents of directories that do not have an index page present

   2. after identify the resources at a given path , attacker directly to analyzing and attacking those resources

   3. Important note : Directory listings themselves are not necessarily a security vulnerability. but , if the website also fails to implement proper access control, it lead to leaking sensitive resources in this way is clearly an issue.

3. Developer comments :

   1. sometimes developer forget comments or leave it deliberately

   2. developer must delete this comment before changing in production environment. because it might lead to hidden directories

   3. we can easily be accessed using Burp , or page source

4. Error messages :

   1. error messages can return information about what input or data type is expected from a given parameter

   2. This can help you to narrow down your attack by identifying exploitable parameters.

   3. Information can be : name a template engine, database type, or server that the website is using and version number

      1. you can easily search for any documented exploits that may exist for this version

      2. check whether there are any common configuration errors or dangerous default settings

   4. if website is using some kind of open-source framework ? . you can study the publicly available source code

   5. Debugging data :

      • many websites generate custom error messages and logs that contain large amounts of information about the application's behavior.

      • it is also extremely useful to an attacker if it is leaked in the production environment it can contain information like

        • Values for key session variables that can be manipulated via user input

        • Hostnames and credentials for back-end components

        • File and directory names on the server

        • secret Keys used to encrypt data transmitted via the client

   6- Source code disclosure via backup files :

   • make it easier for an attacker to understand the application's behavior and construct high-severity attacks

   • Sensitive data is sometimes even hard-coded within the source code. like : API keys and credentials for accessing back-end components.

   • When mapping out a website, you might find some source code files such as .php