Skip to content

Information Leak

What does this mean ?

When a website mistakenly provides sensitive information to its users, this is known as information leak. The risks of leaking sensitive customer or corporate data are self-evident, but revealing technical information can be just as dangerous.

What can happen ?

The act of exposing sensitive material can have a significant impact on the persons involved. Leaking technical information, such as directory structure or third-party frameworks, may have little to no immediate impact. However, in the wrong hands, this knowledge might be used to build any number of different vulnerabilities.

Recommendation

  • Make certain that everyone engaged in the website's creation is completely aware of what material is deemed sensitive.
  • As part of your QA or build procedures, audit any code for possible information leakage.
  • As much as possible, use generic error messages.

Sample Code

Vulnerable :

warningDialogBox = this.myWidgetFactoryWrapper.createHtmlDialogBox()
warningDialogBox.setText("WARNING: Could not connect to app server at " + serverAddress)

try {
    int num1 = 5/0;
}
catch (Throwable e) {
    e.printStackTrace();
}

System.out.println(outputStream.toString())

Non Vulnerable :

warningDialogBox = this.myWidgetFactoryWrapper.createHtmlDialogBox()
LOGGER.warning("WARNING: Could not connect to app server at " + serverAddress)
warningDialogBox.setText("Unable to connect to application server, please contact support.")

Vulnerable :

<?php
    echo phpinfo();
?>

Non Vulnerable :

<?php
    // echo phpinfo();
?>

Vulnerable :

console.log(information)

References