What Is Information Disclosure: When application are not able to handle error properly, so we get some error in the response or without proper protection, we can see internal data. We can see exposure of data.
So attacker can gain more information about target, which he can use in exploiting the data or he can destruct the data by elevating the privileges of targets.
Direct impact is very less but after gathering information, he can exploit it.
Example: We try to generate error in this “https://testfire.net/product?productId=1” URL. So on error page we got information disclosed which reveals version of apache.
For this particular version I got exploit on “exploit-db” which leads to RCE exploit.
· Attacker got some valuable information from web application.
· He tries to search its exploits from different web application as I used “exploitdb” in above diagram.
· If we get exploit or sometime we have to do little modification in exploit according to our requirements but here I got.
· That exploit leads to exploitation of web application.
How to find: We can use scanner or manually we can find. There are so many ways to find and severity is different, depending on the finding.
· While doing active or passive information gathering Banner Grabbing of web application we got information.
· In Source code of application which are publically available like on github. We get some juicy information like credential or API keys.
· In view Source we got disclosed information.
· Sometimes robots.txt, phpinfo.php will disclose information.
· Sometime Sql error mentioning database or column names
· File name file path disclosured information.
· Thumbnails reveals sensitive information.
· Run time error generated by server.
· Unencrypted Cookie parameters or view state disclosed sensitive information.
Our aim is to find debug page that discloses SECRET_KEY.
There are many methods to check information, Here I am discussing some of them
· Checking request or response header while generating error.
No cookie header disclosed any information and in the response, we got error.
So generated error not disclosed any information.
· Checking view: source of URL.
But from here we are also not getting anything.
· Check js file available in application is they are disclosing any information:
We can check available script in burp(prof version)
SiteMap- > Application URL (right click) → Engagement tools -> Find Scripts
By using it we will get all java script.
But from these js files we are not getting any thing.
· Checking publicly available comments in application is they are disclosing any information:
SiteMap- > Application URL (right click) → Engagement tools -> Find Comments
From comments, we came to know there exists one “cgi-bin” folder. So on comments or from main tree, we can scan the application.
· So at-last I started crawling the application. To crawl application we can
Burp -> Target -> Application (right click ) -> Scan
After using this option finally, I got application tree there are some URL, which I have not crawled while manually crawling application.
Application tree looks like as shown below:
So I opened “cgi-bin” folder as shown in comments. After opening it
There I found phpinfo.php exists. So when I opened that file. I got access of
phpinfo.php page which is an internal page and we got SECRET_KEY value
So information disclose can give internal information also.
Preventive measures / Mitigation
· Error reporting should be closed on server so if sometimes error generated it should not be visible on UI.
· Running services and ports should not disclosed information internal information.
· Always cross check when uploading data from public websites.
· Proper validations in order to catch all exceptions.
· Try to generate a standard error page or error stream to a log file.
· Directory listing should be disclosed over the server.
· Avoid placing Content in HTML comments.