Sensitive Information Disclosure¶
Description¶
Information disclosure is when an application fails to properly protect sensitive and confidential information from exposure to users who are not normally supposed to have access to that data.
Different types of information disclosure issues
- Banner Grabbing: Banner grabbing is a process of collecting information like operating system, server details, the name of service running with its version number, and a lot of information about it.
- Source Code Disclosure: Source code disclosure issues occur when the code of the backend environment of a web application is exposed to the public.
- File Name and File Path Disclosure: This can happen due to incorrect handling of user input, exceptions at the back-end, or inappropriate configuration of the webserver. Sometimes such information can be found or identified in the responses of the web applications, error pages, debugging information, etc.
- Inappropriate Handling of Sensitive Data: This can happen when sensitive data is not removed from the source code or somewhere else. Some data like username, password, or some important comment can be present there which may reveal some sensitive data. There are lots of other possibilities.
Common sources of information Disclosure
- Error messages
- Debug messages
- Backup files
- Developer comments in HTML source code
- Server and database messages
- Using public information
References¶
https://infosecwriteups.com/all-about-information-disclosure-5edb5459a514