What is Information Disclosure
Definition
Unnecessary information exposure, also known as Information Disclosure, refers to security vulnerabilities where information that should not be exposed to users or systems in web services is disclosed to external parties.
Vulnerability Points
- Error pages, HTTP request and response pages
Vulnerability Validation Methods
For error pages, HTTP request, and response headers, check if version information is visible using Burp Suite.
Verify if important information commented in web pages is exposed in the web page source.
Check if excessive information is exposed in error messages or error pages.
Confirm if encoded important information can be decoded.
Attack Methods
Attack Scenarios
Information exposure using error messages: Attackers extract sensitive information such as debug information or paths from error messages.
Information exposure using XSS (Cross-Site Scripting): Attackers trick users into accessing the password change page, inadvertently revealing their previous password, which the attacker then captures.
Occurrence Process
Countermeasures
Configure not to return detailed error messages with debug and exception information.
Implement error handling mechanisms to prevent exposing exception information to users.
Take measures not to store sensitive information in log files.
Restrict access to the web service's directory structure and file lists.
Apply security measures to web application configuration files and database connection information.