BBC Ch 21: Information Disclosure

Source: Bug Bounty Bootcamp by Vickie Li

Information disclosure bugs occur when an application exposes data it shouldn't – version numbers, config files, source code, credentials, internal IPs, or users' private data. These bugs are among the most commonly found during bug bounty hunting.

• Technical details – software versions, internal IPs, error messages revealing stack traces; used by attackers to select exploits
• Configuration and credential files – access tokens, database passwords, API keys
• Source code – reveals logic flaws, hardcoded secrets, and infrastructure details
• User private data – PII, bank details, email addresses leaked to unauthorized parties

Common leak sources: HTTP response headers (X-Powered-By: PHP/5.2.17), exposed .git directories, public GitHub/Pastebin posts, public HTML/JS files.

• Never hardcode credentials in source code – use config files or secret storage (HashiCorp Vault)
• Audit public repositories periodically for accidentally uploaded sensitive files
• Apply granular access control to all sensitive files on the production server
• Strip server version headers from HTTP responses
• Return generic error pages – suppress stack traces and technical error messages

Manipulate file path parameters with ../ to escape the intended directory: <code> https://example.com/image?url=/images/../../../../../../../etc/shadow ```

Encoded variants if raw ../ is blocked: <code> %2e%2e%2f (URL encoding) %252e%252e%255f (double URL encoding) ..%2f (partial encoding) ```

https://web.archive.org/web/*/DOMAIN/* – lists all archived URLs for a domain.

Search archived URLs for:

• /admin endpoints
• .conf, .env configuration files
• .js, .php source files
• Backup files

Download and grep archived pages for hardcoded credentials, hidden endpoints.

Developers use Pastebin and GitHub Gists to share code snippets; files are public by default. Search for the target organization's name, domain, or developer emails.

Tools:

• pastebin-scraper: ./scrape.sh -g KEYWORD
• PasteHunter
• Gitleaks / TruffleHog for monitoring repositories

Check if the .git directory is public: <code> https://example.com/.git (directory listing?) curl https://example.com/.git/config (file accessible?) ```

If directory listing is enabled: download recursively: <code> wget -r example.com/.git ```

If listing is disabled but files are accessible: reconstruct manually.

Start with known files: <code> curl https://example.com/.git/HEAD

1. > ref: refs/heads/master

curl https://example.com/.git/refs/heads/master

1. > 0a66452433322af3d319a377415a890c70bbd263 (commit hash)

curl https://example.com/.git/objects/0a/66452433322af3d319a377415a890c70bbd263

(download commit object)

git cat-file -p COMMIT_HASH

1. > tree TREE_HASH (get tree hash)

git cat-file -p TREE_HASH

1. > blob BLOB_HASH source.py (list files)

curl https://example.com/.git/objects/BLOB_PREFIX/BLOB_SUFFIX

(download the blob)

```

Decompress downloaded object files (Git uses zlib): <code> ruby -rzlib -e 'print Zlib::Inflate.new.inflate(STDIN.read)' < OBJECT_FILE python3 -c 'import zlib, sys; print(zlib.decompress(sys.stdin.buffer.read()).decode())' < OBJECT_FILE ```

After reconstructing source code, grep for secrets: <code> grep -r “password|api_key|secret|token” . ```

Use TruffleHog or Gitleaks for entropy-based secret scanning.

• Browse the app; View Source; follow links to JS files
• Grep all JS files for: password, api_key, secret, token, login
• Use LinkFinder (https://github.com/GerbenJavado/LinkFinder/) to enumerate JS files and hidden endpoints
• Look for internal IP addresses, hardcoded credentials, and informative comments in client-side code

• Always validate that found credentials are current and working before reporting – outdated creds are not a vulnerability
• If GitHub access token found: check what repositories and organizations it can access
• If admin panel credentials found: determine what data/actions are accessible
• If /etc/shadow is readable: attempt to crack the hashes (hashcat, john)
• If version numbers found: look for applicable CVEs (searchsploit, NVD)
• If internal IPs found: chain with SSRF to pivot into the internal network

1. Use recon (headers, error messages) to find software version numbers and config hints.
2. Attempt path traversal on file parameters to read /etc/shadow or config files.
3. Search Wayback Machine and paste dump sites for exposed historical files.
4. Check for exposed .git directory; reconstruct source code if found.
5. Grep public HTML/JS files for credentials and internal details; validate all found credentials before reporting.