CyberCherney

About Tags Notes

Information Disclosure

Summary

Web applications by default give a lot of information within errors, requests, and even files. It is up to developers to remove info that is not needed nor warranted given the context. Still, error messages may reveal additional info about backend technology just like sitemap files could be left in and TRACE could be left enabled. Information disclosure is commonly encountered while testing or fuzzing other avenues of compromise, but the key to becoming a good bug bounty hunter is understanding what is and isn’t useful info within errors when you get them.

Methodology

When looking at information disclosures try/ask the following:

  • What technology is being used here?
  • Why might this error be happening?
  • Is there any version or additional info leaked here?
  • try accessing robots.txt and sitemap.xml
  • try to intentionally induce an error with stray quotes or special characters
  • look for leftover comments/hardcoded creds and keys
  • look for any debug functionality
  • try to TRACE to snoop on any additional headers set when sending requests
  • check for .git
  • Logger++ can be used to compare errors and pages
    • grep and burp engagement tools work too
  • try to compare different response codes, times, and lengths from errors
    • each of these imply a different error and understanding is key
  • if all else fails fuzz for errors