A04:2021 - Insecure design - Information disclosure
Share
Introduction
The disclosure of information is a security vulnerability, the criticality of which will depend on how sensitive the information obtained is.
It occurs when a web application inadvertently exposes sensitive or confidential data to unauthorized users. This vulnerability can manifest itself in various ways, including the disclosure of technical system details, configuration information, user data, or even source code fragments.
This exposure not only compromises the integrity and confidentiality of the application, but can also provide potential attackers with valuable information to plan and execute more sophisticated attacks against the system.
Impact
The impact of information disclosure on the security of a web application can be significant:
- Sensitive data exposure: May reveal sensitive information such as passwords, user data, or infrastructure details.
- Facilitating more sophisticated attacks: Attackers can use the information obtained to plan and execute more precise and effective attacks.
- Loss of trust: If users discover that the application is vulnerable, it can result in a loss of trust and damage to the organization's reputation.
- Regulatory non-compliance: Depending on the nature of the information disclosed, it may lead to violations of privacy and data security regulations.
- Compromise of system integrity: The disclosed information may be used to compromise the overall integrity and security of the system.
These impacts underscore the importance of identifying and mitigating information disclosure vulnerabilities in web applications.
Practical Examples
Below are some practical examples of information disclosure vulnerabilities in web applications. These cases illustrate how sensitive information can be inadvertently exposed, providing attackers with valuable data about the infrastructure and internal workings of the application.
Each example includes a description of the scenario, potential impact, and recommended mitigation measures. It is important to understand these cases to improve the security of web applications and protect the organization's sensitive information.
1. Error Messages
This specific case refers to a deliberate technique of causing errors on a web page for a strategic purpose. The main objective of this practice is to induce the system to reveal crucial information about the version of the software being used.
This tactic, while seemingly simple, can provide an attacker with valuable data about the underlying technological infrastructure of the web application. By intentionally forcing these errors, an attacker seeks to exploit system responses to obtain technical details that would normally be hidden.
This information may include not only the exact version of the software, but also other details such as the type of web server, the underlying operating system, or even source code fragments. All of these elements can later be used to plan more sophisticated and targeted attacks.
Summary
- An error is deliberately caused in the web application.
- The error message generated reveals some information. The information obtained may include software versions, file paths, or server configurations.
Example
There are multiple ways to generate an error on a web page. In this case, we will explain a very common one that occurs when a parameter that is expected to receive a numerical value INTEGER is sent a non-numeric value.
https://<victim_web>/product?productId=2
In this case, the value of the productId parameter will be altered to send a non-numeric value and thus force an error:
https://<victim_web>/product?productId="
Mitigation
- Properly configure error messages so that they do not reveal sensitive information
- Implement custom error handling that hides technical details
- Keep software and systems updated to reduce known vulnerabilities
- Perform regular security tests to identify and fix potential data leaks
2. Default installation files / Debug files
Summary
- A recognition phase is executed, where files and directories are searched using files such as sitemap.xml or robots.txt, in addition to crawling tools or directory enumeration.
- The debug file or the one generated during installation contains certain sensitive information. Information obtained may include software versions, file paths, server configurations, keys and tokens in clear text
Example
Mitigation
- Delete or restrict access to diagnostic files in production environments
- Implement robust access controls for sensitive files
- Use web application firewalls (WAFs) to block access to potentially dangerous files
- Perform regular security audits to identify and remove unnecessary files
- Correctly configure file and directory permissions on the web server
- Use vulnerability scanning tools to detect exposed files
- Implement security policies that prohibit the presence of debugging files in production
- Educate developers about the risks of leaving diagnostic files accessible
3. Hidden Files
Summary
- A recognition phase is executed, where files and directories are searched using files such as sitemap.xml or robots.txt, in addition to crawling tools or directory enumeration.
- The files found through these techniques can range from internal documentation, financial data, user credentials, source code, etc.
Example
Mitigation
- Identify all files displayed from the web
- Delete or restrict access to files with critical information, such as source code, credentials...
- Implement robust access controls for sensitive files
- Use web application firewalls (WAFs) to block access to potentially dangerous files
- Perform regular security audits to identify and remove unnecessary files
- Correctly configure file and directory permissions on the web server
- Use vulnerability scanning tools to detect exposed files