Exploiting Information Disclosure

What Is Information Disclosure: When application are not able to handle error properly, so we get some error in the response or without proper protection, we can see internal data. We can see exposure of data.

So attacker can gain more information about target, which he can use in exploiting the data or he can destruct the data by elevating the privileges of targets.

Direct impact is very less but after gathering information, he can exploit it.

Example: We try to generate error in this “https://testfire.net/product?productId=1” URL. So on error page we got information disclosed which reveals version of apache.

Image for post
Image for post

For this particular version I got exploit on “exploit-db” which leads to RCE exploit.

Image for post
Image for post
Image for post
Image for post

· Attacker got some valuable information from web application.

· He tries to search its exploits from different web application as I used “exploitdb” in above diagram.

· If we get exploit or sometime we have to do little modification in exploit according to our requirements but here I got.

· That exploit leads to exploitation of web application.

How to find: We can use scanner or manually we can find. There are so many ways to find and severity is different, depending on the finding.

· While doing active or passive information gathering Banner Grabbing of web application we got information.

· In Source code of application which are publically available like on github. We get some juicy information like credential or API keys.

· In view Source we got disclosed information.

· Sometimes robots.txt, phpinfo.php will disclose information.

· Sometime Sql error mentioning database or column names

· File name file path disclosured information.

· Thumbnails reveals sensitive information.

· Run time error generated by server.

· Unencrypted Cookie parameters or view state disclosed sensitive information.

Exploitation:

Our aim is to find debug page that discloses SECRET_KEY.

There are many methods to check information, Here I am discussing some of them

· Checking request or response header while generating error.

Request:

Image for post
Image for post

No cookie header disclosed any information and in the response, we got error.

Image for post
Image for post

So generated error not disclosed any information.

· Checking view: source of URL.

Image for post
Image for post

But from here we are also not getting anything.

· Check js file available in application is they are disclosing any information:

Image for post
Image for post

We can check available script in burp(prof version)

SiteMap- > Application URL (right click) → Engagement tools -> Find Scripts

By using it we will get all java script.

But from these js files we are not getting any thing.

· Checking publicly available comments in application is they are disclosing any information:

SiteMap- > Application URL (right click) → Engagement tools -> Find Comments

Image for post
Image for post

From comments, we came to know there exists one “cgi-bin” folder. So on comments or from main tree, we can scan the application.

· So at-last I started crawling the application. To crawl application we can

Image for post
Image for post

Burp -> Target -> Application (right click ) -> Scan

After using this option finally, I got application tree there are some URL, which I have not crawled while manually crawling application.

Application tree looks like as shown below:

Image for post
Image for post

So I opened “cgi-bin” folder as shown in comments. After opening it

Image for post
Image for post

There I found phpinfo.php exists. So when I opened that file. I got access of

phpinfo.php page which is an internal page and we got SECRET_KEY value

Image for post
Image for post

So information disclose can give internal information also.

Preventive measures / Mitigation

· Error reporting should be closed on server so if sometimes error generated it should not be visible on UI.

· Running services and ports should not disclosed information internal information.

· Always cross check when uploading data from public websites.

· Proper validations in order to catch all exceptions.

· Try to generate a standard error page or error stream to a log file.

· Directory listing should be disclosed over the server.

· Avoid placing Content in HTML comments.

Written by

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store