Information Leakage (CWE-200) is a category of software vulnerabilities in which information is unintentionally disclosed to end-users, potentially aiding attackers in their efforts to breach application security. The key criteria for Information Leakage is that the exposure is unintentional and useful to attackers.
“Application Sensitive” Information
Information Leakage is different than the failure to protect sensitive information at rest and in-transit. This is a legitimate concern, and involves the exposure of any sensitive data stored and processed by the application. Information Leakage involves the exposure of information that would facilitate attacks on the application or other infrastructure, such as insight into the application design, deployment, or organizational details. Examples of “application sensitive” information” which may be unintentionally exposed include:
- Account Identifiers: A means of discerning existing accounts is provided, facilitating brute-force attacks on access controls.
- Email Addresses: The exposure of internal email addresses can be used in Social Engineering attacks such as Phishing as well as attacks on access control.
- File System Structure: The exposure of internal system structure through exposed path references can facilitate attacks such as Path Traversal.
- Application Configuration: The exposure of configuration information can inform an attacker of mis-configuration and help focus attack strategy. An example would be obvious references to Debug Switches that may empower attackers to turn on debugging.
- Database Structure: Insights into the schema used by the application can help craft SQL Injection strings.
- Session and Authentication Tokens: Exposure of these values can be used to stage Session Hijacking attacks.
How Does Information Leak ?
Since information can be delivered in many forms, there are many means by which information intriguing to attackers may be exposed:
- Technical Error Messages: A common manifestation of this vulnerability is the display of stack traces, database error messages, and other responses with technical details that are not meaningful to an end-user.
- Banners: The exposure of software versions of the Operating System, Web-Server, database, or other application components.
- Account Enumeration: Providing a mechanism by which existing account names are revealed.
- Web Page Source: The inclusion of application-sensitive information in comments that delivered to end-users.
- Diagnostic/Debug Messages: The exposure of information through debug data in Responses.
- Event Timing: Scenarios in which it is possible to discern insight into an internal operation by how long it takes to complete. Blind Injection attacks sometimes exploit Event Timing.
- Cookies: The exposure of Session tokens, authentication tokens, and other state information contained in cookies.
- Caching: The failure to protect information from being cached by Web Browsers, potentially exposing such information to attackers with local machine access.
Information Leakage Is A Vulnerability
There is sometimes so great a focus on protecting the sensitive data being processed that we overlook information about the application design or deployment that should be considered “application sensitive” and protected.
Failure to protect application sensitive information, although not itself exploitable, can provide valuable information to attackers and thereby facilitate other attacks.
For additional insight into how to detect Information Leakage vulnerabilities, see the article entitled: “How To Test For Information Leakage“.
For insight into how to avoid this class of vulnerability, see the article entitled “How To Prevent Information Leakage“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.