Information Disclosure

Information Disclosure

About Information Disclosure

What is information disclosure?

Information disclosure, also known as data leakage or information leakage, refers to the unintentional or unauthorized exposure of sensitive or confidential information to individuals or entities that should not have access to it.

This can include personal data, technical information, intellectual property, or any other data that is considered private or critical to an organization.

Check out this video for a high-level explanation:

What is the impact of information disclosure?

Information disclosure can allow attackers to obtain important technical information about a system via:

• Stack traces: Stack traces may contain sensitive information, such as file paths, server details, or function names, which can provide attackers with additional data for exploitation or social engineering.
• Version headers: By identifying the specific versions of software, attackers can better understand the overall technology stack, which can aid in the development of customized attacks.
• Source Code: Source code may contain sensitive information, such as hard-coded credentials, API keys, or configuration details, which can be used by attackers to gain unauthorized access to systems, data, or services.

How to prevent information disclosure?

To prevent information disclosure, it is important to follow security best practices and implement appropriate security measures, such as:

• Disable Error Messages: Disable detailed error messages in production environments, only displaying generic error messages to users.
• Remove Version Information: Remove or obscure version information from HTTP headers, error messages, and other application outputs.

References

Taxonomies

• OWASP Top 10 - A01 Broken Access control
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Explanation & Prevention

• PortSwigger: Information Disclosure

Related CVEs

• CVE Details: CWE-200

Training

• Secure Code Warrior: Sensitive Information Disclosure

Fixing Information Disclosure

An Information Disclosure vulnerability has been detected by our runtime engines. Fix information disclosure by ensuring that:

• Error messages are disabled
• Version headers are disabled
• Source code is not disclosed