Information disclosure vulnerabilities
https://portswigger.net/web-security/information-disclosure
Information disclosure, also known as information leakage, is when a website unintentionally reveals sensitive information to its users. Depending on the context, websites may leak all kinds of information to a potential attacker, including:
Data about other users, such as usernames or financial information
Sensitive commercial or business data
Technical details about the website and its infrastructure
Lab: Information disclosure in error messages
This lab's verbose error messages reveal that it is using a vulnerable version of a third-party framework.
https://acfb1f791e56cd67c1a0ce5d00540000.web-security-academy.net/product?productId=test
We sent string with productId parameter, then we got an error page. The id has to be a decimal value.
Lab: Information disclosure on debug page
This lab contains a debug page that discloses sensitive information about the application.
In pages, there is a commented line which is following.
Lab: Source code disclosure via backup files
This lab leaks its source code via backup files in a hidden directory.
In robots.txt, there is a hidden directory.
https://ac011f9f1f8cc651c02928c200100093.web-security-academy.net/backup/ProductTemplate.java.bak
Lab: Authentication bypass via information disclosure
This lab's administration interface has an authentication bypass vulnerability, but it is impractical to exploit without knowledge of a custom HTTP header used by the front-end.
GET /admin - Admin interface only available to local users
TRACE /admin
X-Custom-IP-Authorization: 199.199.199.199
→ Add this line to requests → Proxy → Options → Match and Replace → Add to replace option
X-Custom-IP-Authorization: 127.0.0.1
Lab: Information disclosure in version control history
This lab discloses sensitive information via its version control history.
There is .git directory.
wget -r https://ac011fd31e74cd34c168d40200460027.web-security-academy.net/.git
opened with qgit
we can see these:
Last updated