Let's break down how to find an Information Disclosure (ID) vulnerability step by step in a methodical way, just like a penetration tester would approach it. I'll make it detailed, practical, and beginner-friendly.
Step 1: Understand What Information Disclosure Is
Information Disclosure happens when a web application or system unintentionally exposes sensitive information that could help an attacker. Examples include:
- Configuration files (like
.env,config.php) - Backup files (like
backup.zip,database.sql) - Error messages revealing stack traces
- Sensitive headers (like
Server,X-Powered-By) - Directory listing enabled
- Sensitive data in comments, logs, or HTML source
Goal: You want to see if the application leaks anything that shouldn't be public.
Step 2: Reconnaissance / Information Gathering
Before looking for vulnerabilities, gather as much info about the target as possible.
- Passive Recon (without touching the server directly):
- Use search engines (Google dorks) like:
site:example.com filetype:env site:example.com intitle:"index of"
site:example.com inurl:backup
site:example.com -www -shop -documentation "logs"- Check public GitHub or code repositories for leaks.
- Inspect SSL certificates or public subdomains for clues.
- Active Recon (interacting with the target):
- Browse the website and note any unusual files or endpoints.
- Check robots.txt:
example.com/robots.txtmight list sensitive paths. - Look for exposed directories or files via URL fuzzing:
/config.php
/backup/
/uploads/
/admin/Step 3: Inspect HTTP Headers
Sometimes, the server itself leaks info through headers:
- Tools: Burp Suite, OWASP ZAP, curl
- Look for:
Serverheader → may reveal web server type/versionX-Powered-By→ may reveal framework/languageSet-Cookieflags → missingHttpOnlyorSecurecould be sensitive
Example with curl:
curl -I https://example.comStep 4: Analyze the Application Behavior
- Look at error messages:
- Submit unexpected input to see if detailed errors are returned.
- Examples: SQL errors, stack traces, or debugging messages.
- Check hidden fields or parameters:
- Inspect HTML source code for:
- Hidden inputs containing sensitive info.
- Comments in HTML or JavaScript revealing logic.
- Examine JavaScript files:
- Check
/jsor/assetsfor API keys, endpoints, or credentials.
- Check URL parameters and GET requests:
- Sometimes sensitive info appears in query strings (
?id=1234&token=abc).
Step 5: Check for Misconfigured Files and Directories
- Look for common config or backup files:
.env, config.php, config.yml, database.sql, backup.zip- Check for publicly accessible directories:
- If directory listing is enabled, you can see all files:
https://example.com/uploads/ https://example.com/images/- Try to access old versions of files or admin panels:
- Examples:
/admin.old.php
/login_backup.htmlStep 6: Automated Scanning (Optional but Helpful)
Use scanners to speed up detection:
- Nikto: Scans for exposed files, misconfigurations.
- Gobuster / Dirbuster: Enumerates directories and files.
- Burp Suite Pro: Can find hidden endpoints and parameters.
- OWASP ZAP: Passive and active scanning for info leaks.
Example with Gobuster:
gobuster dir -u https://example.com -w /usr/share/wordlists/dirb/common.txtStep 7: Validate the Vulnerability
- Make sure the information disclosed is sensitive and could be abused.
- Examples of risky leaks:
- Database credentials
- API keys or tokens
- Admin panel URLs
- Server paths or software versions
Never exploit in a real environment without permission. Focus on testing in labs, authorized pen-testing environments, or bug bounty programs.
Step 8: Document Your Findings
- URL or location of leak
- Type of information exposed
- Steps to reproduce
- Risk level (low, medium, high)
✅ Pro Tip: Think like an attacker — anything that helps you learn about the system, its software, or its structure counts as useful info. Even seemingly "harmless" errors or file listings can become a stepping stone for bigger attacks.