Information Disclosure Vulnerability

What is Information Disclosure?

When a website inadvertently makes private information available to its visitors, Information Disclosure Vulnerability it is referred to as an information disclosure or information leakage. Websites may give a potential attacker access to a wide range of information, depending on the situation, including:

• Data about other users, such as usernames or financial information.
• Sensitive commercial or business data.
• Technical information on the infrastructure and website.
• Exposing hidden directories’ names, structures, and contents using a directory listing or robots.txt file.
• Granting temporary backup access to source code files.
• Naming database tables or columns explicitly in error messages.
• Revealing extremely private information, such as credit card numbers, needlessly.
• Including IP addresses, database credentials, API keys, and other information in the source code
• Using minute variations in program behavior to allude to the presence or lack of resources, usernames, and other information.

Direct Impact:

• Disclosure of private user information, such as payment card numbers or personal information.
• It can result in legal repercussions and invasions of privacy.
• This may lead to a loss of customer trust and harm to one’s reputation.

Indirect Impact:

• Technical information disclosure (e.g., directory structure, server information, frameworks).
• It may seem low-risk, but it can aid in future attacks like:
  • SQL injection,
  • Remote Code Execution (RCE),
  • Privilege escalation,
• The attacker’s usage of the compromised data determines the severity.

Mitigation:

1. Audit Code Regularly

• Conduct security audits and code reviews during the QA and build stages.
• Automate tasks like removing:
  • Debug info,
  • Developer comments,
  • Unused endpoints, etc.

2. Use Generic Error Messages

• Steer clear of producing comprehensive error messages.

3. Disable Debug Features

• In production, turn off the diagnostic, logging, and debugging tools.
• Verify the default debug settings in the frameworks (e.g., Django DEBUG=False).

4. Understand Third-Party Tools

• Be aware of the security configurations of any framework or library you utilize.
• Harden default settings and turn off unused functionality.

5. Enforce Least Privilege

• Restrict access to files and sensitive information.
• When necessary, use authorization and authentication.

6. Secure File and Directory Access

Prevent public access to sensitive files:

• .env, .git, config.php, backup.zip, etc.

Supporting Material/References:

1. https://portswigger.net/web-security/information-disclosure
2. https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html

Practical Time:

Report Summary:  The response I received when I tried to access the /admin endpoint said that only administrator users or requests coming from a local IP address were allowed access. I noticed that the server automatically appended my IP address to the X-Custom-IP-Authorization header when I sent a TRACE /admin request using Burp Repeater. I added the X-Custom-IP-Authorization: 127.0.0.1 header to every request using Burp Suite’s Match and Replace function.

Because of this, the server was led to believe that my queries came from localhost. I was consequently given access to the admin panel, confirming that information disclosure and insecure IP-based access control were used to bypass authentication.

 

POC

Step 1

• First, open Burp Suite, enable FoxyProxy, and then reload the website.

  

 

 

Step 2

• Go to the Proxy > HTTP history tab, select the main GET/request, and send it to the Repeater tab.

Step 3

 

• Let’s try to access the admin panel, but the response status is 401 “Unauthorized.”

 

Step 4

 

• I looked for “admin” in the response and saw the error notice, “interface only available to local users.” This means that in order to get access, I must send the request as though it were coming from a local IP address.

Step 5

 

• You will see that the response headers contain X-Custom-IP-Authorization when you change the request method from GET to TRACE. This feature automatically uses my IP address to determine whether the request is coming from a local user or another user.

Step 6

 

• Go to Proxy > Match and replace
• Under HTTP match and replace rules, click Add. The Add match/replace rule dialog opens.
• Leave the Match field empty.
• Under Type, make sure that the Request header is chosen.
• In the Replace field, enter the following: X-Custom-IP-Authorization: 127.0.0.1, and click
• Test and then click

NOTE: You can see that Burp has included the X-Custom-IP-Authorization header in the Auto-modified request.

Step 7

 

• First, go to the page of the target website to see if the admin panel is there. If it isn’t visible at first, don’t worry.

Step 8

 

• Reload the website, and you will see the admin panel displayed on the page.

 

Step 9

Intercept the request and reload the page. The header X-Custom-IP-Authorization: 127.0.0.1 is automatically added to the request using Burp’s Match and Replace rule. Next, eavesdrop on the answer

Step 10

 

• Look for the admin panel in the response and confirm that it has opened correctly.

Step 11

 

• To finish the lab, click the admin panel and remove the user “Carlos.”

Step 12

• Congratulations, you solved the lab.

Read More: 

IDOR Vulnerability to Log Out Another User

 

About Author