Information Disclosure Vulnerabilities
/ 2 min read
Updated:Table of Contents
What is Information Disclosure?
Information Disclosure occurs when a web application unintentionally exposes sensitive data to unauthorized users. This leaked data can help an attacker enumerate services, craft attacks, or escalate access.
Common Types of Information Disclosure
1. Verbose Error Messages
- Exposes file paths, database queries, stack traces.
- Can hint at tech stack (e.g., MySQL, Apache, Python, etc.).
Warning: mysqli_connect(): (HY000/1045): Access denied for user 'root'@'localhost'2. Directory Listing Enabled
- When visiting a folder like https://target.com/uploads/ lists files publicly.
- Often reveals sensitive PDFs, backups, or scripts.
3. Misconfigured .git/, .env, backup.zip
- Accidental deployment of config or dev files.
- Examples:
- .env → API keys
- .git/config → repository origin
- db_backup.sql, backup.zip, users.csv
4. Sensitive Comments in HTML/JS
<!-- TODO: remove debug mode before prod --><script> // adminPassword = "SuperSecret123!"</script>5. Leaky HTTP Headers
- Disclose server versions or technology.
- Example:
- Server: Apache/2.4.7 (Ubuntu)
- X-Powered-By: PHP/5.6.4
6. Robots.txt and Sitemap.xml
- robots.txt reveals hidden or admin-only paths.
User-agent: *Disallow: /backupDisallow: /private-api- sitemap.xml reveals internal endpoints.
How to Test for Information Disclosure
- Manually inspect page source, JS files.
- Explore common paths like /robots.txt, /sitemap.xml, /admin, /config, /test, /debug.
- Tools (if allowed):
- curl -I
- httpx
- feroxbuster
- waybackurls + gau (collect past URLs)
- gf secrets, secretfinder.py
Always check program rules before scanning or brute-forcing! Many prohibit automated tools or excessive requests.
Real-World Impact
- Leaking credentials from .env or comments.
- Revealing endpoints that lead to privilege escalation or RCE.
- Discovering internal logic that helps craft better payloads (e.g., anti-CSRF token names, internal APIs).
Mitigations
- Disable directory listing on web servers.
- Scrub dev/debug info from HTML & JS.
- Remove sensitive files before deployment.
- Configure error handling with generic messages.
- Limit verbose headers in production.