Information Disclosure


Maybe there would be something sensitive on the Web Server?


Introduction


This vulnerability is also one of Operation Vulnerabilities that is caused by Devs or DevOps.

Here is how I define this vul: Information Disclosure - also known as information leakage, is when a website unintentionally reveals sensitive information to its users.


Depends on the context, websites may leak potential information that attackers can take advantages of, for example:

  • Data / credentials about other users, such as usernames or financial information.
  • Sensitive commercial or business data.
  • Technical details about the website such as source code or debug info.

Requirement


In order to get the best experience learning this Vulnerability, you should have basic knowledge in using Recon tools such as nmap, gobuster, ffuf, arjun...


For more information: Reconnaissance in Cyber Security

If you have learned this vulnerability before, why not going to solve my challenges here?

Why did I say the fault is by Devs / DevOps?


  • Failure to remove internal content from public content. For example, developer comments in markup are sometimes visible to users in the production environment. 🥴

  • Insecure configuration of the website and related technologies. For example, failing to disable debugging and diagnostic features can sometimes provide attackers with useful tools to help them obtain sensitive information. Default configurations can also leave websites vulnerable, for example, by displaying overly verbose error messages. 🥴🥴

  • Flawed design and behavior of the application. For example, if a website returns distinct responses when different error states occur, this can also allow attackers to enumerate sensitive data, such as valid user credentials. 🥴🥴🥴

The devil comes..


Information disclosure vulnerabilities can have both a direct and indirect impact depending on the purpose of the website and, therefore, what information an attacker is able to obtain. In some cases, the act of disclosing sensitive information alone can have a high impact on the affected parties. For example, an online shop leaking its customers' credit card details is likely to have severe consequences.

On the other hand, leaking technical information, such as the directory structure or which third-party frameworks are being used, may have little to no direct impact. However, in the wrong hands, this could be the key information required to construct lots of exploits. The severity in this case depends on what the attacker is able to do with the information.




Okay that's enough for the theory, let's experience the hacking techniques

CTFd Platform