WebApp 101

WebApps 101: Information Disclosure Vulnerabilities and PortSwigger Lab Examples

Note: Majority of the content here was ripped directly from PortSwigger.net.

Table of Contents:

  • What is information disclosure?
  • What are some examples of information disclosure?
  • How to prevent information disclosure vulnerabilities
  • Practical Lab Examples
    • Example A: Information disclosure in error messages
    • Example B: Information disclosure on debug page (using comments)
    • Example C: Source code disclosure via backup files
    • Example D: Authentication bypass via information disclosure

What is information disclosure?

Information disclosure, also known as information leakage, is when a website unintentionally reveals sensitive information to its users. Depending on the context, websites may leak all kinds of information to a potential attacker, including:

  • Data about other users, such as usernames or financial information
  • Sensitive commercial or business data
  • Technical details about the website and its infrastructure

The dangers of leaking sensitive user or business data are fairly obvious, but disclosing technical information can sometimes be just as serious. Although some of this information will be of limited use, it can potentially be a starting point for exposing an additional attack surface, which may contain other interesting vulnerabilities. The knowledge that you are able to gather could even provide the missing piece of the puzzle when trying to construct complex, high-severity attacks.

Occasionally, sensitive information might be carelessly leaked to users who are simply browsing the website in a normal fashion. More commonly, however, an attacker needs to elicit the information disclosure by interacting with the website in unexpected or malicious ways. They will then carefully study the website’s responses to try and identify interesting behavior.

What are some examples of information disclosure?

Some basic examples of information disclosure are as follows:

  • Revealing the names of hidden directories, their structure, and their contents via a robots.txt file or directory listing
  • Providing access to source code files via temporary backups
  • Explicitly mentioning database table or column names in error messages
  • Unnecessarily exposing highly sensitive information, such as credit card details
  • Hard-coding API keys, IP addresses, database credentials, and so on in the source code
  • Hinting at the existence or absence of resources, usernames, and so on via subtle differences in application behavior

How to prevent information disclosure vulnerabilities

Preventing information disclosure completely is tricky due to the huge variety of ways in which it can occur. However, there are some general best practices that you can follow to minimize the risk of these kinds of vulnerability creeping into your own websites.

  • Make sure that everyone involved in producing the website is fully aware of what information is considered sensitive. Sometimes seemingly harmless information can be much more useful to an attacker than people realize. Highlighting these dangers can help make sure that sensitive information is handled more securely in general by your organization.
  • Audit any code for potential information disclosure as part of your QA or build processes. It should be relatively easy to automate some of the associated tasks, such as stripping developer comments.
  • Use generic error messages as much as possible. Don’t provide attackers with clues about application behavior unnecessarily.
  • Double-check that any debugging or diagnostic features are disabled in the production environment.
  • Make sure you fully understand the configuration settings, and security implications, of any third-party technology that you implement. Take the time to investigate and disable any features and settings that you don’t actually need.

Practical Lab Examples

Example A: Information disclosure in error messages

In this example, we have an eCommerce site that uses Product IDs to track its products. When you select a project, the URL presents ?productID=1 as a parameter. By modifying your request to use a non-valid number, we’re able to trigger an error message that leaks the Apache version.

Example B: Information disclosure on debug page (using comments)

In this example, we’re able to leverage Burp Suite to crawl the site and look for comments in the source code. One of the comments hint at a directory present at /cgi-bin/phpinfo.php. Browsing to this allows us to enumerate a wealth of information about the website.

To automate hunting for comments, you can use Burp:

  1. Navigate to Target and select Site Map.
  2. Right click the correct target, select Engagement Tools, and select Find Comments.

Example C: Source code disclosure via backup files

In this example, robots.txt shows us a /backup directory. That directory allows for listing to anybody, so we’re able to see a backup file in .bak format. Viewing the contents of this file reveals a hardcoded credential in plain text.

Always check robots.txt and source code!

Example D: Authentication bypass via information disclosure

In this example, we try to access the admin interface at /admin. However, browsing to this page returns an error stating that it is only accessible when accessing it locally.

To debug this a bit, we decide to intercept the default GET /admin request, and change it to a TRACE /admin request. Doing so shows us that the webserver adds an additional header that contains our IP address.

Assuming this is what is used to determine whether or not we’re locally accessing the page, we will append our own value for this header to every request we make to the server. To automate this, we can use Burp Suite:

  1. Navigate to Proxy and select Options.
  2. Find the Match and Replace section and click Add.
  3. Leave the Match blank, but enter the following into Replace: X-Custom-IP-Authorization:

Now reissuing the GET /admin request bypasses the local IP address restriction, which we were only able to determine because of the information disclosure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s