🕸️
Web Security Notes
  • README
  • Portswigger
    • Access Control
      • notes
      • labs
    • Authentication
      • notes
      • labs
    • Business Logic Vulnerabilities
      • notes
      • labs
    • Clickjacking
      • notes
      • labs
    • Command Injection
      • notes
      • labs
    • CORS
      • notes
      • labs
    • CSRF
      • notes
      • labs
    • Directory Traversal
      • notes
      • labs
    • DOM-based Vulnerabilities
      • notes
      • labs
    • File upload Vulnerabilities
      • notes
      • labs
    • HTTP Host Header Attacks
      • notes
      • labs
    • HTTP Request Smuggling
      • notes
      • labs
    • Information Disclosure
      • notes
      • labs
    • Insecure Deserialization
      • notes
      • labs
    • JWT Attacks
      • notes
      • labs
    • OAuth Authentication
      • notes
      • labs
    • Server Side Template Injection
      • notes
      • labs
    • SQL injection
      • notes
      • labs
      • cheat sheet
    • SSRF
      • notes
      • labs
    • Web Cache Poisoning
      • notes
      • labs
    • WebSockets
      • notes
      • labs
    • XSS
      • notes
      • labs
    • XXE Injection
      • notes
      • labs
Powered by GitBook
On this page
  • How do information disclosure vulnerabilities arise?
  • How to find and exploit
  • common sources of information disclosure
  1. Portswigger
  2. Information Disclosure

notes

  • Information disclosure is known as information leakage.

  • website unintentionally reveals sensitive information to its users.

  • data about other users, such as usernames, financial information

  • sensitive commercial or business data

  • technical details about the website and its infrastructure

  • basic examples of information disclosure

  1. Revealing the names of hidden directories, their structure, and their contents via a robots.txt file or directory listing

  2. Providing access to source code files via temporary backups

  3. Explicitly mentioning database table or column names in error messages

  4. Unnecessarily exposing highly sensitive information, such as credit card detail

  5. Hard-coding API keys, IP addresses, database credentials

  6. Hinting at the existence or absence of resources, usernames, and so on via subtle differences in appliation behaviour

How do information disclosure vulnerabilities arise?

  • Failure to remove internal content from public content

  • Insecure configuration of the website and related technologies

  • Flawed design and behavior of the application

How to find and exploit

  • Fuzzing

  • using Burp Scanner

  • using Burp's engagement tools

  • Engineering informative responses

common sources of information disclosure

  • files for web crawlers

  • directory listings

  • developer comments

  • error messages

  • debugging data (eg-phpinfo files)

  • user account pages

  • backup files

  • insecure configuration

  • version control histroy

  • Many websites provides files at /robots.txt and /sitemap.xml.

  • make an error to show error messages eg - GET /product?productId=1000000000000000

PreviousInformation DisclosureNextlabs

Last updated 2 years ago