AlbusSecurity:- Penetration-list 01 Information Disclosure — Sample
Hello Listeners, I hope you all are well. Firstly I will introduce myself I’m Aniket, I’m an Information technology officer at 5f eco foundation of India and also the Founder of AlbusSecurity. It is a startup that means today is our launching day for getting information about It then visit our dummy website. Now back to the article. We upload a “penetration list” on GitHub on that a repository is available has materials related to bug hunting. However, you learned about Information disclosure, how you find it, and also the ways to find it. What about the GitHub repository? So It contains all materials that we will be using in information disclosure and for understanding what I am trying to say without wasting time. So let’s get started.
What Is Information Disclosure?
Information disclosure is when there is an information leakage or in simple words when a website unpremeditatedly reveals sensitive information to its users. Websites may leak all kinds of information to an attacker.
But then the question arises that what kind of information is revealed by the website?
Ans:- 1. Data about other users, such as usernames or financial information.
2. Sensitive commercial or business data.
3. Technical details about the website like application version, Plugins names, and also its infrastructure.
The dangers of leaking user or business data aren’t always a bad situation but disclosing technical information can sometimes be serious. Why? Because it can potentially work as a starting point for planning an additional attack surface that may contain other amazing vulnerabilities. The knowledge that you get from Information disclosure could even help you to find some critical vulnerabilities however, an attacker needs to bring out the information disclosure by interacting with the website in a hunting way. They will then carefully study the website’s responses and try to identify the interesting behavior of the application.
Follow these steps to find information disclosure:-
- Directory brute forcing
- Information Disclosure through error
- Google Dorking
- Shodan Dorking
- GitHub Dorking
Now, I’m going to explain to you these steps:-
- Directory brute-forcing:
A brute force attack is a hacking method that uses a trial and error method to crack passwords hash, login credentials, and encryption keys. An attacker can use the brute-force technique to find hidden web files and directories on a web-sever. There are several tools for doing this, but all tools use a list of sensitive files. So for this, we upload the list of names of some most sensitive files, but the question is about how that list will help you? So, I’m telling my own experience that how I use the list to find an information disclosure.
Find Hidden files with the help of burp suite?
- Open your burp-suite, intercept a request then type any random words on the file path.
2. Send the request to Burp Intruder.
- Go to Burp Intruder. On the “Positions” tab, clear all the default payload positions and set the random words, So that will be your injecting point and Intruder should be used in Sniper mode.
3. On the payload tab, Now Select a Simple list on payload type and then load our sensitive file list.
4. Start Attack, Now turning point is that the Burpsuite will provide us with the filter options that means you could customize your response by clicking the “filter by status code”, then for this, you disable ticks on 4x 5x then you will only see those requests that will give you response 200 301.
You can also use Some Command-line Interface Tool like dirsearch, go- buster,ffuf, etc dirsearch is also good. Why I’m not telling you to use dirsearch or any other tool is because these tools also use sensitive file lists in the backend, As per circumstances we make one list from it and remove unwanted file names and add some more files names to the list to make it unique. So Please check our Penetration list on Github.
2. Information Disclosure Through Error.
We already know about Error but “How it occurs?” so the reason is that the Developer does not configure the website and function appropriately so the website displays a verbose error message in response. But “How do we force a website to generate an error?”
- Add some malicious input like this “?>?}|@#$%’.” So there is a chance that the application will give you an error, for example- If I add some malicious input parameter on the CBSE website then it gives me an error message.
2. The second way is to Intercept your Request and then remove some params, then if the server is not configured probably it will give you an error in your response, For example- months ago I reported the same vulnerability in bug-crowd, unfortunately, it duplicated.
Now I will stop my hands to continue on this but we will learn other methods to find an information disclosure in our next article of “Penetration-List 01 Information Disclosure Part 02”.
Our Dummy-Website link: https://as745591.wixsite.com/dummy-albussec/
Our Linkedin: https://www.linkedin.com/in/albus-security-914555229/
Penetration-list:- https://github.com/AlbusSec/Penetration-List
Thank you for reading our article. We know that your time is precious. So we will sort everything as soon as possible.