====== BBC Ch 21: Information Disclosure ======

//Source: Bug Bounty Bootcamp by Vickie Li//

Information disclosure bugs occur when an application exposes data it shouldn't -- version numbers, config files, source code, credentials, internal IPs, or users' private data. These bugs are among the most commonly found during bug bounty hunting.

===== Types of Information Leaked =====

  * **Technical details** -- software versions, internal IPs, error messages revealing stack traces; used by attackers to select exploits
  * **Configuration and credential files** -- access tokens, database passwords, API keys
  * **Source code** -- reveals logic flaws, hardcoded secrets, and infrastructure details
  * **User private data** -- PII, bank details, email addresses leaked to unauthorized parties

Common leak sources: HTTP response headers (''X-Powered-By: PHP/5.2.17''), exposed ''.git'' directories, public GitHub/Pastebin posts, public HTML/JS files.

===== Prevention =====

  * Never hardcode credentials in source code -- use config files or secret storage (HashiCorp Vault)
  * Audit public repositories periodically for accidentally uploaded sensitive files
  * Apply granular access control to all sensitive files on the production server
  * Strip server version headers from HTTP responses
  * Return generic error pages -- suppress stack traces and technical error messages

===== Hunting for Information Disclosure =====

==== Step 1: Path Traversal ====

Manipulate file path parameters with ''../'' to escape the intended directory:
<code>
https://example.com/image?url=/images/../../../../../../../etc/shadow
```

Encoded variants if raw ''../'' is blocked:
<code>
%2e%2e%2f          (URL encoding)
%252e%252e%255f    (double URL encoding)
..%2f              (partial encoding)
```

==== Step 2: Search the Wayback Machine ====

''https://web.archive.org/web/*/DOMAIN/*'' -- lists all archived URLs for a domain.

Search archived URLs for:
  * ''/admin'' endpoints
  * ''.conf'', ''.env'' configuration files
  * ''.js'', ''.php'' source files
  * Backup files

Download and grep archived pages for hardcoded credentials, hidden endpoints.

==== Step 3: Search Paste Dump Sites ====

Developers use Pastebin and GitHub Gists to share code snippets; files are public by default. Search for the target organization's name, domain, or developer emails.

Tools:
  * pastebin-scraper: ''./scrape.sh -g KEYWORD''
  * PasteHunter
  * Gitleaks / TruffleHog for monitoring repositories

==== Step 4: Reconstruct Source Code from Exposed .git Directory ====

Check if the ''.git'' directory is public:
<code>
https://example.com/.git           (directory listing?)
curl https://example.com/.git/config   (file accessible?)
```

**If directory listing is enabled:** download recursively:
<code>
wget -r example.com/.git
```

**If listing is disabled** but files are accessible: reconstruct manually.

Start with known files:
<code>
curl https://example.com/.git/HEAD
  -> ref: refs/heads/master

curl https://example.com/.git/refs/heads/master
  -> 0a66452433322af3d319a377415a890c70bbd263   (commit hash)

curl https://example.com/.git/objects/0a/66452433322af3d319a377415a890c70bbd263
  (download commit object)

git cat-file -p COMMIT_HASH
  -> tree TREE_HASH   (get tree hash)

git cat-file -p TREE_HASH
  -> blob BLOB_HASH source.py   (list files)

curl https://example.com/.git/objects/BLOB_PREFIX/BLOB_SUFFIX
  (download the blob)
```

Decompress downloaded object files (Git uses zlib):
<code>
ruby -rzlib -e 'print Zlib::Inflate.new.inflate(STDIN.read)' < OBJECT_FILE
python3 -c 'import zlib, sys; print(zlib.decompress(sys.stdin.buffer.read()).decode())' < OBJECT_FILE
```

After reconstructing source code, grep for secrets:
<code>
grep -r "password|api_key|secret|token" .
```

Use TruffleHog or Gitleaks for entropy-based secret scanning.

==== Step 5: Find Information in Public Files (HTML/JS) ====

  * Browse the app; View Source; follow links to JS files
  * Grep all JS files for: ''password'', ''api_key'', ''secret'', ''token'', ''login''
  * Use LinkFinder (https://github.com/GerbenJavado/LinkFinder/) to enumerate JS files and hidden endpoints
  * Look for internal IP addresses, hardcoded credentials, and informative comments in client-side code

===== Escalating the Attack =====

  * **Always validate** that found credentials are current and working before reporting -- outdated creds are not a vulnerability
  * If GitHub access token found: check what repositories and organizations it can access
  * If admin panel credentials found: determine what data/actions are accessible
  * If ''/etc/shadow'' is readable: attempt to crack the hashes (''hashcat'', ''john'')
  * If version numbers found: look for applicable CVEs (''searchsploit'', NVD)
  * If internal IPs found: chain with SSRF to pivot into the internal network

===== 5-Step Checklist =====

  - Use recon (headers, error messages) to find software version numbers and config hints.
  - Attempt path traversal on file parameters to read ''/etc/shadow'' or config files.
  - Search Wayback Machine and paste dump sites for exposed historical files.
  - Check for exposed ''.git'' directory; reconstruct source code if found.
  - Grep public HTML/JS files for credentials and internal details; validate all found credentials before reporting.