Information disclosure

When website unintentionally reveals sensative information to its users such as

  • Data about other users such as usernames or financial information

  • Sensative business data

  • Technical details about the website and its infrastructure

These disclosed information can always provide the missing piece of the puzzle when trying to construct complex high sevarity attacks.

Some basic examples of information disclosure are as follows:

  • Revealing the names of hidden directories, their structure, and their contents via a robots.txt file or directory listing

  • Providing access to source code files via temporary backups

  • Explicitly mentioning database table or column names in error messages

  • Unnecessarily exposing highly sensitive information, such as credit card details

  • Hard-coding API keys, IP addresses, database credentials, and so on in the source code

  • Hinting at the existence or absence of resources, usernames, and so on via subtle differences in application behavior

  • Using google dorks to find specific file types eg: site:bank.com filetype:xlsx, site:pastebin.com "mysql"

  • Finding informations on shodan, censys, github, gitlab, bitbucket, pastebin, codepen

PreviousCommand InjectionsNextAccess Controls

Last updated