Information Disclosure attempts are a type of attack aimed at acquiring specific information about a website’s system, including user data or financial information; sensitive commercial or business data; technical details about the website or software distribution, version numbers and patch levels. The acquired information may also contain the location of backup files or temporary files. And the more information an attacker learns about a website, the easier the system will be to compromise them.
How does a site become vulnerable to this attack?
The reasons can be different:
- Failure to remove public content. For example, developer comments are sometimes visible to users.
- Insecure configuration of the website and related technologies. For example, failing to disable debugging and diagnostic features can sometimes provide attackers with useful tools to help them obtain sensitive information.
- Application design. For example, if a website returns distinct responses when different error states occur, this can also allow attackers to enumerate sensitive data, such as valid user credentials.
How to prevent these attacks?
Completely preventing information disclosure is complicated due to the huge variety of ways it can occur. However, there are some general best practices you can follow to minimize the risk of this type of vulnerability creeping into your websites.
- Make sure everyone involved in producing the website is fully aware of what information is considered sensitive. Sometimes seemingly innocuous information can be much more useful to an attacker than people realize.
- Check any code for potential information disclosure as part of your QA or create different processes. It should be relatively easy to automate some of the associated tasks, such as deleting developer comments.
- Use generic error messages as much as possible.
- Verify that debug or diagnostic features are disabled in the production environment.
- Make sure you fully understand the configuration settings and security implications of any third-party technology you implement.
latest posts published
Lokky, the Italian data driven insurtech for professionals and SMEs
An ally for cyber security: Load Balancing
Business Trend 2023 for SMEs, professionals and commercial activities
Occupational risks for pastry shops
How to read a pay slip
What are the most common cyber risks and how to protect yourself
Clinical Risk: What it is and What are the consequences
Commercial activities most affected by theft
October is European Cyber Security Month
