Overview:
If a web application fails to protect its senstive data and exposes it to the users, then the application is said to disclose information.
The sensitive information could be:
- Session Tokens
- Details about the application framework
- User data (passwords/username/email id,etc)
- Web-Sever Version Number and backend Language Used(eg php)
- Sensitive Business or Commercial Data
Though this vulnerability cannot be directly exploited,yet it does provide the attacker with more information about the application/users,etc which the attacker can use to leverage the application.
Other Examples of serious information Disclosure includes:
- Revealing the hidden directories, via robots.txt file.
- Providing access to the source code and other files.
- Hard-coding credentials,API keys on the source code.
Causes:
There could be various causes that lead to information disclosure.A few are mentioned below.
- Insecure configuration the website/database/framework correctly.
- Failure to remove hard-coded details/content and other internal important details from the public view.
- There is a flaw in either the entire architecture or some parts of the website.
For example the following snippet of the source code of a webpage has hard coded detils, about the username and the password, in the source code of the webpage.
Prevention:
Since there are so many ways that a website could be vulnerable to information disclosure, there is no one way to prevent this.
A few ways through which this can be prevented are:
- Full inspection of the site for hard-coded detials that could be of some use to the attacker. This could be credentials/cookies/session tokens/ids,etc.
- Auditing the code for potential disclosures. Manually try to produce an error and see how the application responds. Is it throwing out some sensitve data?
- Double check the configuration files, and ensure that any third party application is upto date.
- Check that the error messages thrown out are not too sepcific, targetting at a particular process/application. Use generic messages as much as possible.
- Ensure that the developers are well versed with what to display to the public and what to keep private.
