KagisoSec_
Web
WEB

Information Disclosure

Finding information disclosure: version headers, backup files, debug pages, .git repo exposure, error messages, directory listing, robots.txt, source maps, and environment variable leaks. Burp Scanner and manual techniques.

web information-disclosure recon portswigger

What is Information Disclosure

Information disclosure (information leakage) happens when an app unintentionally exposes sensitive data — source code, credentials, internal paths, version strings, stack traces, user data — to people who shouldn’t have access.

Detection: automated

Burp Scanner

Run an active scan. Burp automatically detects:

  • Version disclosure in headers (Server, X-Powered-By, X-AspNet-Version)
  • Stack traces in error responses
  • Directory listing
  • Backup/temp files in common paths

Burp → Target → Site map → right-click → Engagement tools → Find comments

Parses every response in scope and extracts HTML/JS comments. Look for:

  • Internal IP addresses
  • API keys / credentials
  • Developer notes (TODO: remove this, hardcoded for testing)

HTTP response headers

In Burp Repeater or browser DevTools, check every response:

Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/7.4.3
X-AspNet-Version: 4.0.30319
X-Generator: Drupal 8

These leak exact software versions — search for CVEs directly.

Look for non-standard headers that expose internal infrastructure:

X-Backend-Server: prod-web-03.internal.corp
Via: 1.1 internal-proxy.corp

Robots.txt and sitemap

Always check:

curl -s https://TARGET/robots.txt
curl -s https://TARGET/sitemap.xml

robots.txt often discloses admin paths, staging endpoints, and internal routes explicitly to exclude them from crawlers.

Common backup / temp file paths

Developers leave backup copies with predictable names. Fuzz these:

ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
  -u https://TARGET/FUZZ -mc 200

Common patterns to try manually:

index.php.bak      index.php~       index.php.old
config.php.bak     .config.php      config.php.orig
web.config.bak     web.config~
database.yml.bak   .env.bak         .env.orig
admin.php.bak      login.php.old

.git repository exposure

If /.git/ is accessible, you can reconstruct the entire source:

# Test for exposure
curl -s https://TARGET/.git/HEAD

# Dump the whole repo
git-dumper https://TARGET/.git/ ./dumped_repo

Then search the source for secrets:

grep -r "password\|secret\|key\|token\|api_key" ./dumped_repo --include="*.php" --include="*.py" --include="*.js" -l

Source maps

JavaScript source maps (.map files) reconstruct original unminified source, revealing internal logic, API paths, and sometimes hardcoded values:

# Check if source map references exist in the JS file
curl -s https://TARGET/static/app.min.js | grep sourceMappingURL

# Fetch the map
curl -s https://TARGET/static/app.min.js.map | python3 -m json.tool | grep -i "secret\|key\|token"

Debug pages and developer endpoints

/phpinfo.php          — full PHP config, ENV vars, loaded modules
/server-status        — Apache server-status (live requests, internal IPs)
/server-info          — Apache config dump
/actuator             — Spring Boot actuator (health, env, mappings)
/actuator/env         — environment variables including secrets
/actuator/heapdump    — full JVM heap dump (contains credentials in memory)
/debug                — generic debug endpoint
/console              — Werkzeug/Rails interactive console
/_profiler            — Symfony debug toolbar
ffuf -w /usr/share/seclists/Discovery/Web-Content/spring-boot.txt \
  -u https://TARGET/FUZZ -mc 200

Verbose error messages

Trigger errors deliberately to leak stack traces, DB schema, or internal paths:

  • Submit unexpected types: array instead of string, negative numbers, SQL keywords
  • Submit very long strings to hit buffer limits
  • Remove required parameters
  • Set Content-Type: application/xml when JSON is expected (may trigger parser errors)

In Burp Repeater, modify one parameter at a time and watch the response length and status change.

Directory listing

# Check common paths
curl -s https://TARGET/images/ | grep -i "index of"
curl -s https://TARGET/uploads/
curl -s https://TARGET/backup/

Burp Scanner reports open directory listings. If found, spider the directory for sensitive files.

Environment variables via misconfigured endpoints

# .env file exposed
curl -s https://TARGET/.env

# Docker environment
curl -s https://TARGET/env.json

# Kubernetes metadata
curl -s http://169.254.169.254/latest/meta-data/   # AWS IMDS
curl -s http://metadata.google.internal/computeMetadata/v1/ -H "Metadata-Flavor: Google"

Version disclosure via cookies and tokens

Session IDs and tokens often leak the framework:

PHPSESSID=...      → PHP
JSESSIONID=...     → Java / Tomcat
ASP.NET_SessionId  → ASP.NET

JWT headers leak the algorithm and sometimes the kid (key ID pointing to a file path or URL).

Burp Suite workflow

  1. Proxy — browse the entire app; check every response’s headers and body for version strings.
  2. Target → Site map → Engagement tools → Find comments — extract all HTML/JS comments.
  3. Scanner — active scan for backup files, debug pages, directory listing.
  4. Intruder — fuzz backup file extensions (.bak, .old, .orig, ~) on known filenames.
  5. Search (Ctrl+F in HTTP history) — search for password, key, secret, token across all responses.