In this topic, I’ll show you how to find and exploit information disclosure vulnerabilities (Bugs) in an application and how to prevent them. Have you accidentally done Ctrl+U to a website’s page and seen something unusual as comments? or saw some version information on an error message? or somehow saw secret information in their source code on Github? So any information revealing or leaking online can be seen by a keen eye and reported as a bug, you’ll wonder how an organization so big can be this lazy to hide their secrets online, but it’s true sometimes big companies often make mistakes in hiding their secret information online including passwords, secret keys, APIs and confidential data. Let’s see how we can find them.
Information Disclosure (Leakage)
Information disclosure refers to a bug where some type of sensitive data (secret keys, PII, passwords, etc.) is accessible in a way that it shouldn’t be. There are so many ways that this can happen, but some of the most common scenarios are:
- Unsecured S3 buckets
- Secret keys in client-side JavaScript
- Passwords and secret keys in public Github repositories
- Internal documentation exposed to the internet inadvertently
So, this pretty much sums up what vulnerability is and where to find them, but if you want to take a deep dive into this topic PortSwigger has a great blog on this.
Dorking
This is the topic that other blogs discussing information disclosure do not cover, but this is the most essential skill needed for this, this is the easiest and most productive way to find secret information available on the internet using open-source intelligence (OSINT) to search through an organization’s source code and files. Google Dorking is what comes first into mind, with an ability to search using advanced filters, you can get secret data. You can find the best techniques here, there is also an online tool which does that for you.
Now, whenever we talk about source code the first thing that comes into mind is Github, we can also use Github Dorks to search secrets in the code, you will find useful search techniques in its cheatsheet, there is also a GitHub tool for that Github-Dorks.
Bug Bounty
From a bug bounty perspective, this type of vulnerability is usually a P4. It’s important to note that this is extremely easy to detect, which means that it will nearly always be a duplicate. Bug hunters earn $100 to $200 for this type of vulnerability. So, this could be easy money for you if you’re the first to look at it!
Information Disclosure Labs
When showing an error, applications give out the version information of their server for which we can search and find exploits for that version, this lab’s verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework.
“Access the lab” and you’ll see a shop page, to make any error happen we should do something which is not intended, Click on “View Details” of any product, and you’ll see a “productId” parameter with an id number, you’ll see other products by changing its id’s, but what if we put something alphabetic in there? this could show us the error, I’ll change the product Id parameter to “hello”, let’s see what it shows:
Yes! It worked and it showed us the error with exploitable version information:
Now, go back to the lab, and click “Submit solution” with the “Apache Struts” version to solve the lab.
Remember when I told you about comments which reveal sensitive information? well, we’re at it. Access the lab and you’ll see a shop page, view the page source or do Ctrl+U, scroll down to the end and you’ll see a page location given as a comment
Now, go to that page,
view-source:https://YOUR_LAB_ID.web-security-academy.net/cgi-bin/phpinfo.php
You will see a bunch of secret information there, but what we need is a SECRET_KEY, find the key using Ctrl+f, and we found the key there:
Go back to the lab, click “Submit solution”, and enter the SECRET_KEY to solve the lab.
So, every web application has a robots.txt file which tells search engine crawlers which URLs the crawler can access on your site. which makes that file accessible, but sometimes they’re too specific to the crawlers and give the location of a secret directory which they don’t want the crawlers to crawl, we’ll deal with the same scenario here. This lab leaks its source code via backup files in a hidden directory. To solve the lab, identify and submit the database password, which is hard-coded in the leaked source code.
https://YOUR_LAB_ID.web-security-academy.net/robots.txt
notice that it reveals the existence of a /backup directory. Browse to /backup to find the file ProductTemplate.java.bak
https://YOUR_LAB_ID.web-security-academy.net/backup
Browse to ProductTemplate.java.bak
to access the source code. notice that the connection builder contains the hard-coded password for a Postgres database.
Go back to the lab, click “Submit solution”, and enter the database password to solve the lab.
Conclusion
This covers the knowledge of information disclosure vulnerability and how to exploit them, there are 2 labs remaining on this topic that are on you to solve it, if you need any help with solutions you can find them on the lab page along with the video community solutions, also practice along with OSINT and it’s tools on how to extract sensitive information available online, and if you need any help regarding this topic feel free to contact me, and let me know the feedbacks in the comment section if there is anything to improve. Also, check out the previous topic Cross-Site-Scripting. See you on the next topic.
Top comments (0)