salvacybersec/strix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4384f5bff82e816b8e089d69f2fb3bea6f19414d
strix/strix/skills/vulnerabilities/information_disclosure.md

8.3 KiB
Raw Blame History

name, description
name description
information-disclosure Information disclosure testing covering error messages, debug endpoints, metadata leakage, and source exposure

Information Disclosure

Information leaks accelerate exploitation by revealing code, configuration, identifiers, and trust boundaries. Treat every response byte, artifact, and header as potential intelligence. Minimize, normalize, and scope disclosure across all channels.

Attack Surface

  • Errors and exception pages: stack traces, file paths, SQL, framework versions
  • Debug/dev tooling reachable in prod: debuggers, profilers, feature flags
  • DVCS/build artifacts and temp/backup files: .git, .svn, .hg, .bak, .swp, archives
  • Configuration and secrets: .env, phpinfo, appsettings.json, Docker/K8s manifests
  • API schemas and introspection: OpenAPI/Swagger, GraphQL introspection, gRPC reflection
  • Client bundles and source maps: webpack/Vite maps, embedded env, __NEXT_DATA__, static JSON
  • Headers and response metadata: Server/X-Powered-By, tracing, ETag, Accept-Ranges, Server-Timing
  • Storage/export surfaces: public buckets, signed URLs, export/download endpoints
  • Observability/admin: /metrics, /actuator, /health, tracing UIs (Jaeger, Zipkin), Kibana, Admin UIs
  • Directory listings and indexing: autoindex, sitemap/robots revealing hidden routes

High-Value Surfaces

Errors and Exceptions

  • SQL/ORM errors: reveal table/column names, DBMS, query fragments
  • Stack traces: absolute paths, class/method names, framework versions, developer emails
  • Template engine probes: {{7*7}}, ${7*7} identify templating stack
  • JSON/XML parsers: type mismatches leak internal model names

Debug and Env Modes

  • Debug pages: Django DEBUG, Laravel Telescope, Rails error pages, Flask/Werkzeug debugger, ASP.NET customErrors Off
  • Profiler endpoints: /debug/pprof, /actuator, /_profiler, custom /debug APIs
  • Feature/config toggles exposed in JS or headers

DVCS and Backups

  • DVCS: /.git/ (HEAD, config, index, objects), .svn/entries, .hg/store → reconstruct source and secrets
  • Backups/temp: .bak/.old/~/.swp/.swo/.tmp/.orig, db dumps, zipped deployments
  • Build artifacts: dist artifacts containing .map, env prints, internal URLs

Configs and Secrets

  • Classic: web.config, appsettings.json, settings.py, config.php, phpinfo.php
  • Containers/cloud: Dockerfile, docker-compose.yml, Kubernetes manifests, service account tokens
  • Credentials and connection strings; internal hosts and ports; JWT secrets

API Schemas and Introspection

  • OpenAPI/Swagger: /swagger, /api-docs, /openapi.json — enumerate hidden/privileged operations
  • GraphQL: introspection enabled; field suggestions; error disclosure via invalid fields
  • gRPC: server reflection exposing services/messages

Client Bundles and Maps

  • Source maps (.map) reveal original sources, comments, and internal logic
  • Client env leakage: NEXT_PUBLIC_/VITE_/REACT_APP_ variables; embedded secrets
  • __NEXT_DATA__ and pre-fetched JSON can include internal IDs, flags, or PII

Headers and Response Metadata

  • Fingerprinting: Server, X-Powered-By, X-AspNet-Version
  • Tracing: X-Request-Id, traceparent, Server-Timing, debug headers
  • Caching oracles: ETag/If-None-Match, Last-Modified/If-Modified-Since, Accept-Ranges/Range

Storage and Exports

  • Public object storage: S3/GCS/Azure blobs with world-readable ACLs or guessable keys
  • Signed URLs: long-lived, weakly scoped, re-usable across tenants
  • Export/report endpoints returning foreign data sets or unfiltered fields

Observability and Admin

  • Metrics: Prometheus /metrics exposing internal hostnames, process args
  • Health/config: /actuator/health, /actuator/env, Spring Boot info endpoints
  • Tracing UIs: Jaeger/Zipkin/Kibana/Grafana exposed without auth

Cross-Origin Signals

  • Referrer leakage: missing/weak referrer policy leading to path/query/token leaks to third parties
  • CORS: overly permissive Access-Control-Allow-Origin/Expose-Headers revealing data cross-origin; preflight error shapes

File Metadata

  • EXIF, PDF/Office properties: authors, paths, software versions, timestamps, embedded objects

Cloud Storage

  • S3/GCS/Azure: anonymous listing disabled but object reads allowed; metadata headers leak owner/project identifiers
  • Pre-signed URLs: audience not bound; observe key scope and lifetime in URL params

Key Vulnerabilities

Differential Oracles

  • Compare owner vs non-owner vs anonymous for the same resource
  • Track: status, length, ETag, Last-Modified, Cache-Control
  • HEAD vs GET: header-only differences can confirm existence
  • Conditional requests: 304 vs 200 behaviors leak existence/state

CDN and Cache Keys

  • Identity-agnostic caches: CDN/proxy keys missing Authorization/tenant headers
  • Vary misconfiguration: user-agent/language vary without auth vary leaks content
  • 206 partial content + stale caches leak object fragments

Cross-Channel Mirroring

  • Inconsistent hardening between REST, GraphQL, WebSocket, and gRPC
  • SSR vs CSR: server-rendered pages omit fields while JSON API includes them

Triage Rubric

  • Critical: Credentials/keys; signed URL secrets; config dumps; unrestricted admin/observability panels
  • High: Versions with reachable CVEs; cross-tenant data; caches serving cross-user content
  • Medium: Internal paths/hosts enabling LFI/SSRF pivots; source maps revealing hidden endpoints
  • Low: Generic headers, marketing versions, intended documentation without exploit path

Exploitation Chains

Credential Extraction

  • DVCS/config dumps exposing secrets (DB, SMTP, JWT, cloud)
  • Keys → cloud control plane access

Version to CVE

  1. Derive precise component versions from headers/errors/bundles
  2. Map to known CVEs and confirm reachability
  3. Execute minimal proof targeting disclosed component

Path Disclosure to LFI

  1. Paths from stack traces/templates reveal filesystem layout
  2. Use LFI/traversal to fetch config/keys

Schema to Auth Bypass

  1. Schema reveals hidden fields/endpoints
  2. Attempt requests with those fields; confirm missing authorization

Testing Methodology

  1. Build channel map - Web, API, GraphQL, WebSocket, gRPC, mobile, background jobs, exports, CDN
  2. Establish diff harness - Compare owner vs non-owner vs anonymous; normalize on status/body length/ETag/headers
  3. Trigger controlled failures - Malformed types, boundary values, missing params, alternate content-types
  4. Enumerate artifacts - DVCS folders, backups, config endpoints, source maps, client bundles, API docs
  5. Correlate to impact - Versions→CVE, paths→LFI/RCE, keys→cloud access, schemas→auth bypass

Validation

  1. Provide raw evidence (headers/body/artifact) and explain exact data revealed
  2. Determine intent: cross-check docs/UX; classify per triage rubric
  3. Attempt minimal, reversible exploitation or present a concrete step-by-step chain
  4. Show reproducibility and minimal request set
  5. Bound scope (user, tenant, environment) and data sensitivity classification

False Positives

  • Intentional public docs or non-sensitive metadata with no exploit path
  • Generic errors with no actionable details
  • Redacted fields that do not change differential oracles
  • Version banners with no exposed vulnerable surface and no chain
  • Owner-visible-only details that do not cross identity/tenant boundaries

Impact

  • Accelerated exploitation of RCE/LFI/SSRF via precise versions and paths
  • Credential/secret exposure leading to persistent external compromise
  • Cross-tenant data disclosure through exports, caches, or mis-scoped signed URLs
  • Privacy/regulatory violations and business intelligence leakage

Pro Tips

  1. Start with artifacts (DVCS, backups, maps) before payloads; artifacts yield the fastest wins
  2. Normalize responses and diff by digest to reduce noise when comparing roles
  3. Hunt source maps and client data JSON; they often carry internal IDs and flags
  4. Probe caches/CDNs for identity-unaware keys; verify Vary includes Authorization/tenant
  5. Treat introspection and reflection as configuration findings across GraphQL/gRPC
  6. Mine observability endpoints last; they are noisy but high-yield in misconfigured setups
  7. Chain quickly to a concrete risk and stop—proof should be minimal and reversible

Summary

Information disclosure is an amplifier. Convert leaks into precise, minimal exploits or clear architectural risks.