37 lines
900 B
Markdown
37 lines
900 B
Markdown
|
|
||
|
## Common Sources of Information Disclosure
|
||
|
|
||
|
Common Sources of Information Disclosure
|
||
|
|
||
|
- File for Web Crawlers
|
||
|
/robots.txt
|
||
|
/sitemap.xml
|
||
|
|
||
|
- Directory Listings
|
||
|
|
||
|
- Developer Comments
|
||
|
|
||
|
- Error Messages
|
||
|
Pay attention to any verbose error messages
|
||
|
§ Template Engine
|
||
|
§ Database Type
|
||
|
§ Server being used
|
||
|
§ Versions
|
||
|
- Use this to search for documented exploits
|
||
|
- If open-source, you can study the actual code being used
|
||
|
|
||
|
- Debugging Data
|
||
|
- Look for the following:
|
||
|
§ Values for key session variables
|
||
|
§ Hostnames of creds for back-end components
|
||
|
§ File and directory names on the server
|
||
|
§ Keys used to encrypt data
|
||
|
|
||
|
- User Account Pages
|
||
|
|
||
|
- Source Code Disclosure via Backup Files
|
||
|
- Often include API keys or creds for back-end components
|
||
|
|
||
|
- Version Control History
|
||
|
- Exposed /.git directories
|
||
|
- Load on personal machine and browse through it
|