Information Exposure [CWE-200] -The Hacktivists
Information disclosure weakness describes intentional or unintentional disclosure of information that is considered sensitive.
Table of Content
1. Description
2. Potential impact
3. Attack patterns
4. Affected software
5. Exploitation Examples
6. Severity and CVSS Scoring
1. Description
………………………………
This weakness could be the result of numerous types of problems that involve exposure to sensitive information. The information is considered sensitive when:
❏ It is sensitive within the product functionality (e.g. information with restricted access, private messages, etc.)
❏ It contains data about the product itself, its environment or the related system that is not intended to be disclosed by the application.
CWE-200 is a parent for the following weaknesses:
❏ CWE-201: Information Exposure Through Sent Data
❏ CWE-202: Exposure of Sensitive Data Through Data Queries
❏ CWE-203: Information Exposure Through Discrepancy
❏ CWE-209: Information Exposure Through an Error Message
❏ CWE-211: Info Exposure Through Externally-Generated Error Message
❏ CWE-212: Improper Cross-boundary Removal of Sensitive Data
❏ CWE-213: Intentional Information Exposure
❏ CWE-214: Information Exposure Through Process Environment
❏ CWE-215: Information Exposure Through Debug Information
❏ CWE-226: Sensitive Information Uncleared Before Release
❏ CWE-497: Exposure of System Data to an Unauthorized Control Sphere
❏ CWE-524: Information Exposure Through Caching
❏ CWE-526: Information Exposure Through Environmental Variables
❏ CWE-538: File and Directory Information Exposure
❏ CWE-598: Information Exposure Through Query Strings in GET Request
❏ CWE-612: Information Exposure Through Indexing of Private Data
2. Potential impact
………………………………
Potential impact can vary depending on application, environment and other circumstances. There are many different problems that involve information leaks and their severity can be widely ranged based on information that is disclosed.
3. Attack patterns
………………………………
The following CAPEC vectors are related to information disclosure weakness:
❏ CAPEC-13: Subverting Environment Variable Values
❏ CAPEC-22: Exploiting Trust in Client (aka Make the Client Invisible)
❏ CAPEC-59: Session Credential Falsification through Prediction
❏ CAPEC-60: Reusing Session IDs (aka Session Replay)
❏ CAPEC-79: Using Slashes in Alternate Encoding
❏ CAPEC-169: Footprinting
❏ CAPEC-281: Analytic Attacks
❏ CAPEC-472: Browser Fingerprinting
In WASC Threat Classification this weakness is described as an attack and weakness under WASC-45
(Fingerprinting) and WASC-13 (Information Leakage) respectively.
4. Affected software
………………………………
Basically, all types of software can be vulnerable to this issue.
5. Exploitation Examples
………………………………
Let’s have a look at the HTB23123 security advisory (CVE-2012–5696). The vulnerability allows a malicious user to access the configuration file via HTTP request by accessing the file directly. We will use the following URL to access the configuration file: The output is shown on the image below:
http://[host]/frameworkgui/config
As we can see, it is possible to view the contents of the file that contains credentials for accessing the database along with other configuration options.
6. Severity and CVSS Scoring
………………………………
When scoring information disclosure weaknesses security specialists must consider the maximum possible impact. If an attacker can gain access to certain parts of information or he does not have control over what is obtained the weakness should be scored as C:P. If an attacker is able to read all system data (e.g. files, memory) it should be scored as C:C. Usually, when information exposure is the only weakness presented in application it is scored as C:P.
For a web application disclosure of files should be scored as:
7.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N] — High severity.
Credits: https://www.immuniweb.com/
