Exploitation A05

Information Disclosure

Information disclosure vulnerabilities expose sensitive data that helps attackers plan targeted attacks. This includes version numbers, internal paths, stack traces, API keys, database details, and debugging information. While sometimes considered low-severity individually, information disclosure is a critical enabler for further exploitation.

Information

Information disclosure is often the first step in attack chain construction. Document all findings — even seemingly minor leaks can be combined for significant impact.

Error Page Analysis

bash 
# Trigger error pages to reveal information:

# 404 errors - check for server version in headers/body:
curl -v https://target.com/nonexistent-page-xyz

# 500 errors - trigger with malformed input:
curl -v 'https://target.com/api/user?id=\x00'
curl -v 'https://target.com/api/user?id[]=1'
curl -v -X POST https://target.com/api/user -d '{invalid json}' -H 'Content-Type: application/json'

# Stack traces may reveal:
# - Programming language and framework version
# - Internal file paths (/var/www/app/controllers/UserController.py)
# - Database connection strings
# - Third-party library versions
# - Internal IP addresses

# Framework-specific error pages:
curl https://target.com/wp-admin/               # WordPress
curl https://target.com/elmah.axd                # ASP.NET error logging
curl https://target.com/server-status             # Apache status
curl https://target.com/server-info               # Apache server info
curl https://target.com/__debug__/                # Django debug toolbar
curl https://target.com/_debugbar/open            # Laravel debug bar
curl https://target.com/actuator                  # Spring Boot actuator
curl https://target.com/actuator/env              # Spring env variables
curl https://target.com/actuator/health           # Spring health check
curl https://target.com/trace                     # Spring trace
curl https://target.com/console                   # H2 database console
# Trigger error pages to reveal information:

# 404 errors - check for server version in headers/body:
curl -v https://target.com/nonexistent-page-xyz

# 500 errors - trigger with malformed input:
curl -v 'https://target.com/api/user?id=\x00'
curl -v 'https://target.com/api/user?id[]=1'
curl -v -X POST https://target.com/api/user -d '{invalid json}' -H 'Content-Type: application/json'

# Stack traces may reveal:
# - Programming language and framework version
# - Internal file paths (/var/www/app/controllers/UserController.py)
# - Database connection strings
# - Third-party library versions
# - Internal IP addresses

# Framework-specific error pages:
curl https://target.com/wp-admin/               # WordPress
curl https://target.com/elmah.axd                # ASP.NET error logging
curl https://target.com/server-status             # Apache status
curl https://target.com/server-info               # Apache server info
curl https://target.com/__debug__/                # Django debug toolbar
curl https://target.com/_debugbar/open            # Laravel debug bar
curl https://target.com/actuator                  # Spring Boot actuator
curl https://target.com/actuator/env              # Spring env variables
curl https://target.com/actuator/health           # Spring health check
curl https://target.com/trace                     # Spring trace
curl https://target.com/console                   # H2 database console

Response Header Analysis

bash 
# Check response headers for version disclosure:
curl -sI https://target.com | grep -iE 'server|x-powered|x-aspnet|x-runtime|x-version'

# Common headers revealing information:
# Server: Apache/2.4.51 (Ubuntu)
# X-Powered-By: PHP/8.1.2
# X-Powered-By: Express
# X-Powered-By: ASP.NET
# X-AspNet-Version: 4.0.30319
# X-Runtime: 0.012345 (Ruby on Rails)
# X-Generator: Drupal 10
# X-Debug-Token: abc123 (Symfony)

# Check for internal IP leakage:
curl -sI https://target.com | grep -iE 'x-forwarded|x-real-ip|x-backend|via'

# Check all headers:
curl -sI https://target.com -H 'Host: target.com' | sort
# Check response headers for version disclosure:
curl -sI https://target.com | grep -iE 'server|x-powered|x-aspnet|x-runtime|x-version'

# Common headers revealing information:
# Server: Apache/2.4.51 (Ubuntu)
# X-Powered-By: PHP/8.1.2
# X-Powered-By: Express
# X-Powered-By: ASP.NET
# X-AspNet-Version: 4.0.30319
# X-Runtime: 0.012345 (Ruby on Rails)
# X-Generator: Drupal 10
# X-Debug-Token: abc123 (Symfony)

# Check for internal IP leakage:
curl -sI https://target.com | grep -iE 'x-forwarded|x-real-ip|x-backend|via'

# Check all headers:
curl -sI https://target.com -H 'Host: target.com' | sort

Debug Endpoints & Hidden Files

bash 
# Common debug/admin endpoints:
curl -s https://target.com/phpinfo.php          # PHP configuration
curl -s https://target.com/info.php
curl -s https://target.com/.env                  # Environment variables!
curl -s https://target.com/.git/HEAD             # Git repository
curl -s https://target.com/.svn/entries          # SVN repository
curl -s https://target.com/.DS_Store             # macOS directory listing
curl -s https://target.com/web.config             # IIS configuration
curl -s https://target.com/crossdomain.xml       # Flash cross-domain
curl -s https://target.com/clientaccesspolicy.xml # Silverlight policy
curl -s https://target.com/robots.txt            # Disallowed paths
curl -s https://target.com/sitemap.xml           # Full URL listing
curl -s https://target.com/.well-known/security.txt

# Backup files:
curl -s https://target.com/config.php.bak
curl -s https://target.com/config.php~
curl -s https://target.com/config.php.old
curl -s https://target.com/config.php.swp
curl -s https://target.com/database.sql
curl -s https://target.com/dump.sql
curl -s https://target.com/backup.zip

# API documentation:
curl -s https://target.com/swagger.json
curl -s https://target.com/api-docs
curl -s https://target.com/openapi.json
curl -s https://target.com/graphql?query={__schema{types{name}}}
# Common debug/admin endpoints:
curl -s https://target.com/phpinfo.php          # PHP configuration
curl -s https://target.com/info.php
curl -s https://target.com/.env                  # Environment variables!
curl -s https://target.com/.git/HEAD             # Git repository
curl -s https://target.com/.svn/entries          # SVN repository
curl -s https://target.com/.DS_Store             # macOS directory listing
curl -s https://target.com/web.config             # IIS configuration
curl -s https://target.com/crossdomain.xml       # Flash cross-domain
curl -s https://target.com/clientaccesspolicy.xml # Silverlight policy
curl -s https://target.com/robots.txt            # Disallowed paths
curl -s https://target.com/sitemap.xml           # Full URL listing
curl -s https://target.com/.well-known/security.txt

# Backup files:
curl -s https://target.com/config.php.bak
curl -s https://target.com/config.php~
curl -s https://target.com/config.php.old
curl -s https://target.com/config.php.swp
curl -s https://target.com/database.sql
curl -s https://target.com/dump.sql
curl -s https://target.com/backup.zip

# API documentation:
curl -s https://target.com/swagger.json
curl -s https://target.com/api-docs
curl -s https://target.com/openapi.json
curl -s https://target.com/graphql?query={__schema{types{name}}}

Source Code Exposure

bash 
# Git repository exposure:
# If /.git/ is accessible, you can reconstruct the entire source code

# Check if git is exposed:
curl -s https://target.com/.git/HEAD
# Output: ref: refs/heads/main → Git exposed!

# Use git-dumper to download the repository:
pip install git-dumper
git-dumper https://target.com/.git/ ./target-source

# Then search for secrets:
cd target-source
git log --all --oneline  # Check commit history
git log -p | grep -iE 'password|secret|key|token|api_key'

# Check for source maps in JavaScript:
curl -s https://target.com/js/app.js | tail -1
# //# sourceMappingURL=app.js.map
curl -s https://target.com/js/app.js.map
# Source maps contain the original source code!
# Git repository exposure:
# If /.git/ is accessible, you can reconstruct the entire source code

# Check if git is exposed:
curl -s https://target.com/.git/HEAD
# Output: ref: refs/heads/main → Git exposed!

# Use git-dumper to download the repository:
pip install git-dumper
git-dumper https://target.com/.git/ ./target-source

# Then search for secrets:
cd target-source
git log --all --oneline  # Check commit history
git log -p | grep -iE 'password|secret|key|token|api_key'

# Check for source maps in JavaScript:
curl -s https://target.com/js/app.js | tail -1
# //# sourceMappingURL=app.js.map
curl -s https://target.com/js/app.js.map
# Source maps contain the original source code!

Directory Listing

bash 
# Check for directory listing:
curl -s https://target.com/uploads/
curl -s https://target.com/images/
curl -s https://target.com/static/
curl -s https://target.com/assets/
curl -s https://target.com/backup/
curl -s https://target.com/tmp/
curl -s https://target.com/logs/

# Look for:
# - <title>Index of /</title> (Apache)
# - Directory listing enabled
# - Backup files, configuration files, log files
# - Database dumps, credential files

# Automate with ffuf:
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -u https://target.com/FUZZ/ \
  -mc 200,403 \
  -fc 404
# Check for directory listing:
curl -s https://target.com/uploads/
curl -s https://target.com/images/
curl -s https://target.com/static/
curl -s https://target.com/assets/
curl -s https://target.com/backup/
curl -s https://target.com/tmp/
curl -s https://target.com/logs/

# Look for:
# - <title>Index of /</title> (Apache)
# - Directory listing enabled
# - Backup files, configuration files, log files
# - Database dumps, credential files

# Automate with ffuf:
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -u https://target.com/FUZZ/ \
  -mc 200,403 \
  -fc 404

Testing Checklist

  1. 1. Check response headers for server version, framework, and internal IPs
  2. 2. Trigger error pages (404, 500) and check for stack traces
  3. 3. Scan for debug endpoints (phpinfo, actuator, debug toolbar)
  4. 4. Check for exposed .env, .git, backup files, and source maps
  5. 5. Check for directory listing on common paths
  6. 6. Review robots.txt and sitemap.xml for hidden paths
  7. 7. Check API documentation endpoints (swagger, openapi)
  8. 8. Search HTML source code for comments, credentials, internal URLs

Evidence Collection

Screenshots: Error pages showing stack traces, version numbers, internal paths

Header Dump: Full response headers showing version disclosure

Files Found: .env contents (redact actual secrets), .git HEAD output

CVSS Range: Version disclosure: 2.7–4.3 | Credentials in source: 7.5–9.1 | .env exposed: 9.1

Remediation

  • Custom error pages: Replace default error pages with custom ones that reveal no technical details.
  • Remove version headers: Configure web server to suppress Server, X-Powered-By headers.
  • Disable debug mode: Ensure DEBUG=False in production for all frameworks.
  • Block sensitive files: Configure web server to deny access to .env, .git, .svn, backup files.
  • Disable directory listing: Set Options -Indexes (Apache) or autoindex off (Nginx).
  • Remove source maps: Don't deploy .map files to production.

False Positive Identification

  • Public information in error pages: Generic server version strings (e.g., "Apache") may not be sensitive enough to report — focus on exact patch versions, internal paths, and database connection strings.
  • Intentional debug endpoints: Some applications expose /health or /status by design — verify with the client whether these are intended to be public.
  • Stack traces in development: If testing on a dev/staging environment, confirm the same behavior occurs in production before reporting.

Related Topics

Exploitation Overview

Enumeration

Security Headers

SSRF

Secrets Exposure