At times, web applications fail to protect either confidential or sensitive information or both from unauthorized or unintended parties. This situation is generally referred to as an information disclosure issue. Though such issues cannot be exploited in most of the cases, they can allow the attackers to gather information about a web application that can be utilized later in the lifecycle of an attack. Some of the most common information disclosure issues in web applications are listed below.
Active Reconnaissance/Banner Grabbing
If a web application has not been appropriately configured, it can reveal information about itself during a banner grabbing exercise. General information gathered include version details of PHP, OpenSSH, Apache, ASP.NET, etc. For example, an attacker can launch an RCE (Remote Code Execution) attack after gathering information about the current version of PHP.
Source Code Disclosure
When a web application exposes its backend code to the public environment, it essentially enables an attacker to understand its behavior by merely reading the code, checking for flaws in the code, API keys, and username: password credentials. The extent of information disclosure here directly affects the possible damage that an attacker can cause.
Unprotected Public Code Repositories
The last few years have seen a sort of cloud revolution – everything is moving to the cloud. Most of the SaaS applications that we nowadays are hosted in the cloud. If their repository is not well protected, attackers may be able to get access to the hosted source code in the cloud environments and associated documentation.
Inappropriate Handling of Sensitive Data
Hardcoding credentials, internal IP addresses in the web application’s code is a big no. We have identified various instances wherein our clients had hardcoded this information on their web applications. Such information can be accessed by right–clicking on a web application’s page and select View Page Source.
File Name & File Path Disclosure
A web application may disclose the structure of underlying infrastructure by revealing either file names or file paths or both. Due to inappropriate input handling, improper configuration management, or backend exceptions, a web application’s response may include such information in error pages.
Many web servers, by default, provide this functionality when there is no default web page available. A visitor is directly shown a list of files and directories. Directories are easily enumerated by tools such as Dirb or OWASP Dirbuster.