184 lines
8.3 KiB
Markdown
184 lines
8.3 KiB
Markdown
---
|
|
name: information-disclosure
|
|
description: Information disclosure testing covering error messages, debug endpoints, metadata leakage, and source exposure
|
|
---
|
|
|
|
# Information Disclosure
|
|
|
|
Information leaks accelerate exploitation by revealing code, configuration, identifiers, and trust boundaries. Treat every response byte, artifact, and header as potential intelligence. Minimize, normalize, and scope disclosure across all channels.
|
|
|
|
## Attack Surface
|
|
|
|
- Errors and exception pages: stack traces, file paths, SQL, framework versions
|
|
- Debug/dev tooling reachable in prod: debuggers, profilers, feature flags
|
|
- DVCS/build artifacts and temp/backup files: .git, .svn, .hg, .bak, .swp, archives
|
|
- Configuration and secrets: .env, phpinfo, appsettings.json, Docker/K8s manifests
|
|
- API schemas and introspection: OpenAPI/Swagger, GraphQL introspection, gRPC reflection
|
|
- Client bundles and source maps: webpack/Vite maps, embedded env, `__NEXT_DATA__`, static JSON
|
|
- Headers and response metadata: Server/X-Powered-By, tracing, ETag, Accept-Ranges, Server-Timing
|
|
- Storage/export surfaces: public buckets, signed URLs, export/download endpoints
|
|
- Observability/admin: /metrics, /actuator, /health, tracing UIs (Jaeger, Zipkin), Kibana, Admin UIs
|
|
- Directory listings and indexing: autoindex, sitemap/robots revealing hidden routes
|
|
|
|
## High-Value Surfaces
|
|
|
|
### Errors and Exceptions
|
|
|
|
- SQL/ORM errors: reveal table/column names, DBMS, query fragments
|
|
- Stack traces: absolute paths, class/method names, framework versions, developer emails
|
|
- Template engine probes: `{{7*7}}`, `${7*7}` identify templating stack
|
|
- JSON/XML parsers: type mismatches leak internal model names
|
|
|
|
### Debug and Env Modes
|
|
|
|
- Debug pages: Django DEBUG, Laravel Telescope, Rails error pages, Flask/Werkzeug debugger, ASP.NET customErrors Off
|
|
- Profiler endpoints: `/debug/pprof`, `/actuator`, `/_profiler`, custom `/debug` APIs
|
|
- Feature/config toggles exposed in JS or headers
|
|
|
|
### DVCS and Backups
|
|
|
|
- DVCS: `/.git/` (HEAD, config, index, objects), `.svn/entries`, `.hg/store` → reconstruct source and secrets
|
|
- Backups/temp: `.bak`/`.old`/`~`/`.swp`/`.swo`/`.tmp`/`.orig`, db dumps, zipped deployments
|
|
- Build artifacts: dist artifacts containing `.map`, env prints, internal URLs
|
|
|
|
### Configs and Secrets
|
|
|
|
- Classic: web.config, appsettings.json, settings.py, config.php, phpinfo.php
|
|
- Containers/cloud: Dockerfile, docker-compose.yml, Kubernetes manifests, service account tokens
|
|
- Credentials and connection strings; internal hosts and ports; JWT secrets
|
|
|
|
### API Schemas and Introspection
|
|
|
|
- OpenAPI/Swagger: `/swagger`, `/api-docs`, `/openapi.json` — enumerate hidden/privileged operations
|
|
- GraphQL: introspection enabled; field suggestions; error disclosure via invalid fields
|
|
- gRPC: server reflection exposing services/messages
|
|
|
|
### Client Bundles and Maps
|
|
|
|
- Source maps (`.map`) reveal original sources, comments, and internal logic
|
|
- Client env leakage: `NEXT_PUBLIC_`/`VITE_`/`REACT_APP_` variables; embedded secrets
|
|
- `__NEXT_DATA__` and pre-fetched JSON can include internal IDs, flags, or PII
|
|
|
|
### Headers and Response Metadata
|
|
|
|
- Fingerprinting: Server, X-Powered-By, X-AspNet-Version
|
|
- Tracing: X-Request-Id, traceparent, Server-Timing, debug headers
|
|
- Caching oracles: ETag/If-None-Match, Last-Modified/If-Modified-Since, Accept-Ranges/Range
|
|
|
|
### Storage and Exports
|
|
|
|
- Public object storage: S3/GCS/Azure blobs with world-readable ACLs or guessable keys
|
|
- Signed URLs: long-lived, weakly scoped, re-usable across tenants
|
|
- Export/report endpoints returning foreign data sets or unfiltered fields
|
|
|
|
### Observability and Admin
|
|
|
|
- Metrics: Prometheus `/metrics` exposing internal hostnames, process args
|
|
- Health/config: `/actuator/health`, `/actuator/env`, Spring Boot info endpoints
|
|
- Tracing UIs: Jaeger/Zipkin/Kibana/Grafana exposed without auth
|
|
|
|
### Cross-Origin Signals
|
|
|
|
- Referrer leakage: missing/weak referrer policy leading to path/query/token leaks to third parties
|
|
- CORS: overly permissive Access-Control-Allow-Origin/Expose-Headers revealing data cross-origin; preflight error shapes
|
|
|
|
### File Metadata
|
|
|
|
- EXIF, PDF/Office properties: authors, paths, software versions, timestamps, embedded objects
|
|
|
|
### Cloud Storage
|
|
|
|
- S3/GCS/Azure: anonymous listing disabled but object reads allowed; metadata headers leak owner/project identifiers
|
|
- Pre-signed URLs: audience not bound; observe key scope and lifetime in URL params
|
|
|
|
## Key Vulnerabilities
|
|
|
|
### Differential Oracles
|
|
|
|
- Compare owner vs non-owner vs anonymous for the same resource
|
|
- Track: status, length, ETag, Last-Modified, Cache-Control
|
|
- HEAD vs GET: header-only differences can confirm existence
|
|
- Conditional requests: 304 vs 200 behaviors leak existence/state
|
|
|
|
### CDN and Cache Keys
|
|
|
|
- Identity-agnostic caches: CDN/proxy keys missing Authorization/tenant headers
|
|
- Vary misconfiguration: user-agent/language vary without auth vary leaks content
|
|
- 206 partial content + stale caches leak object fragments
|
|
|
|
### Cross-Channel Mirroring
|
|
|
|
- Inconsistent hardening between REST, GraphQL, WebSocket, and gRPC
|
|
- SSR vs CSR: server-rendered pages omit fields while JSON API includes them
|
|
|
|
## Triage Rubric
|
|
|
|
- **Critical**: Credentials/keys; signed URL secrets; config dumps; unrestricted admin/observability panels
|
|
- **High**: Versions with reachable CVEs; cross-tenant data; caches serving cross-user content
|
|
- **Medium**: Internal paths/hosts enabling LFI/SSRF pivots; source maps revealing hidden endpoints
|
|
- **Low**: Generic headers, marketing versions, intended documentation without exploit path
|
|
|
|
## Exploitation Chains
|
|
|
|
### Credential Extraction
|
|
- DVCS/config dumps exposing secrets (DB, SMTP, JWT, cloud)
|
|
- Keys → cloud control plane access
|
|
|
|
### Version to CVE
|
|
1. Derive precise component versions from headers/errors/bundles
|
|
2. Map to known CVEs and confirm reachability
|
|
3. Execute minimal proof targeting disclosed component
|
|
|
|
### Path Disclosure to LFI
|
|
1. Paths from stack traces/templates reveal filesystem layout
|
|
2. Use LFI/traversal to fetch config/keys
|
|
|
|
### Schema to Auth Bypass
|
|
1. Schema reveals hidden fields/endpoints
|
|
2. Attempt requests with those fields; confirm missing authorization
|
|
|
|
## Testing Methodology
|
|
|
|
1. **Build channel map** - Web, API, GraphQL, WebSocket, gRPC, mobile, background jobs, exports, CDN
|
|
2. **Establish diff harness** - Compare owner vs non-owner vs anonymous; normalize on status/body length/ETag/headers
|
|
3. **Trigger controlled failures** - Malformed types, boundary values, missing params, alternate content-types
|
|
4. **Enumerate artifacts** - DVCS folders, backups, config endpoints, source maps, client bundles, API docs
|
|
5. **Correlate to impact** - Versions→CVE, paths→LFI/RCE, keys→cloud access, schemas→auth bypass
|
|
|
|
## Validation
|
|
|
|
1. Provide raw evidence (headers/body/artifact) and explain exact data revealed
|
|
2. Determine intent: cross-check docs/UX; classify per triage rubric
|
|
3. Attempt minimal, reversible exploitation or present a concrete step-by-step chain
|
|
4. Show reproducibility and minimal request set
|
|
5. Bound scope (user, tenant, environment) and data sensitivity classification
|
|
|
|
## False Positives
|
|
|
|
- Intentional public docs or non-sensitive metadata with no exploit path
|
|
- Generic errors with no actionable details
|
|
- Redacted fields that do not change differential oracles
|
|
- Version banners with no exposed vulnerable surface and no chain
|
|
- Owner-visible-only details that do not cross identity/tenant boundaries
|
|
|
|
## Impact
|
|
|
|
- Accelerated exploitation of RCE/LFI/SSRF via precise versions and paths
|
|
- Credential/secret exposure leading to persistent external compromise
|
|
- Cross-tenant data disclosure through exports, caches, or mis-scoped signed URLs
|
|
- Privacy/regulatory violations and business intelligence leakage
|
|
|
|
## Pro Tips
|
|
|
|
1. Start with artifacts (DVCS, backups, maps) before payloads; artifacts yield the fastest wins
|
|
2. Normalize responses and diff by digest to reduce noise when comparing roles
|
|
3. Hunt source maps and client data JSON; they often carry internal IDs and flags
|
|
4. Probe caches/CDNs for identity-unaware keys; verify Vary includes Authorization/tenant
|
|
5. Treat introspection and reflection as configuration findings across GraphQL/gRPC
|
|
6. Mine observability endpoints last; they are noisy but high-yield in misconfigured setups
|
|
7. Chain quickly to a concrete risk and stop—proof should be minimal and reversible
|
|
|
|
## Summary
|
|
|
|
Information disclosure is an amplifier. Convert leaks into precise, minimal exploits or clear architectural risks.
|