Submission declined on 23 April 2025 by Cinder painter (talk). This submission is not adequately supported by reliable sources. Reliable sources are required so that information can be verified. If you need help with referencing, please see Referencing for beginners and Citing sources. If you would like to continue working on the submission, click on the "Edit" tab at the top of the window. If you have not resolved the issues listed above, your draft will be declined again and potentially deleted. If you need extra help, please ask us a question at the AfC Help Desk or get live help from experienced editors. Please do not remove reviewer comments or this notice until the submission is accepted. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Easy tools: Citation bot (help) | Advanced: Fix bare URLs Declined by Cinder painter 7 days ago. Last edited by Cinder painter 7 days ago. Reviewer: Inform author. Resubmit Please note that if the issues are not fixed, the draft will be declined again.

Information Disclosure is a type of vulnerability that can cause small to severe problems for websites or affected platforms. It occurs when crucial or sensitive information is accidentally exposed to the public. According to the OWASP Top 10, Information Disclosure falls under the Cryptographic Failures category. This vulnerability can act as a gateway to other dangerous vulnerabilities that may even allow full control over the target system.

The dangers of leaking sensitive user or business data are fairly obvious, but disclosing technical information can sometimes be just as serious. Although some of this information will be of limited use, it can potentially be a starting point for exposing an additional attack surface, which may contain other interesting vulnerabilities. The knowledge that you are able to gather could even provide the missing piece of the puzzle when trying to construct complex, high-severity attacks.

Occasionally, sensitive information might be carelessly leaked to users who are simply browsing the website in a normal fashion. More commonly, however, an attacker needs to elicit the information disclosure by interacting with the website in unexpected or malicious ways. They will then carefully study the website's responses to try and identify interesting behavior.

There is no single reason we can point to as the main cause of information disclosure. There are multiple ways this vulnerability can occur, and we are going to discuss them. But before that, we need to look at what exactly the types of information are that should not be disclosed:

• Data about other users, such as usernames, passwords, and financial information.
• Confidential commercial or business information.
• Underlying architecture or design of the platform.

Now, we can look at the reasons behind its occurrence:

• Server Raised Issues: Servers normally give too much information by default, like Apache/Nginx headers, error pages, etc.
• Mishandling by Developers: Some developers forget to remove or disable detailed error messages from the platform, and some of them even forget to remove hardcoded information.
• Improper File Permissions: When sensitive files are available to the public, it raises the same information disclosure problem.
• Information from APIs: Almost all large websites use external APIs, and just like servers, APIs also give too much information by default, which is valuable to a hacker.
• Log Problem: Logs written to the frontend or leaked via /logs can expose auth tokens or errors.

And there are many other possible causes besides the ones mentioned above, but the most crucial ones are listed here.

Let us go through some of the impacts that your website may face due to the information disclosure vulnerability:

• Attackers can gather valuable insights about the system's structure, technologies, and vulnerabilities, which aids in planning attacks.
• These information can give attackers an entry point to exploit.
• If leaked information, such as configuration files, database details, or other sensitive data about a person with higher privileges on the website, is exposed, it can lead to privilege escalation.
• Exposed personal or confidential data can lead to identity theft, fraud, or intellectual property theft.
• Public information leakage, especially user data or information about vulnerabilities before patching, can severely damage an organization’s reputation and erode user trust.
• Information leakage can also lead to legal consequences for the organization.
• Information disclosure can lead to more vulnerabilities. For example, if the attacker obtains the server version your site is hosting, and upon checking online, discovers an RCE vulnerability, they can easily escalate their attack to a higher level.

Now, we can look at how we can prevent the occurrence of information disclosure while building a product or while helping organizations solve the problem.

• Employee Training: make sure that employees in the company must be aware of the vulnerability and to do proper checking before making the platform live.
• Access Control: Implement the principle of least privilege (PoLP). Only authorized users should have access to sensitive information.
• Data Encryption: Always encrypt sensitive data at rest and in transit using strong encryption algorithms (e.g., AES-256, RSA). This ensures that even if data is intercepted or accessed, it remains unreadable.
• Regular Audits: Make sure there will be regular audits in the organization to detect any unauthorized access or leakage of sensitive information.

Preventing these vulnerabilities is crucial in maintaining confidentiality and protecting sensitive data.

Not every information leak is a red alert. Although information disclosure can have severe repercussions, it only reaches high-severity status in some cases. The actual threat is what an attacker can do with the information, not necessarily that it's out there.

For example, if a page announces it's using a particular framework, that's not necessarily helpful except if it's an old version with known vulnerabilities. Then the leak's not trivia at all. it's basically giving away a loaded pistol.

When you see leaked technical information, be practical. Is this merely noise, or can it really facilitate an attack? There are lots of websites that spill innocent information that leads nowhere. So don't panic because something leaked consider whether or not that leak is effective and exploitable.

Of course, if the disclosure is of extremely sensitive information (such as credentials, API keys, internal IPs, or session tokens), that's a different story. Those are bad enough on their own and need to be flagged right away.

Some examples of information disclosure that we can see in the real world are mentioned below:

• Exposing the names, structure, and contents of hidden directories through a robots.txt file or by enabling directory listing.
• Allowing access to source code files through temporary backup copies.
• Embedding sensitive information like API keys, IP addresses, and database credentials directly in the source code, while also indicating the presence or absence of resources, usernames, etc., through subtle variations in application behavior. For example, when accessing a website's login page with two input boxes, one for the username and one for the password, if you enter an incorrect username, the output might be: "No user with that name." However, when brute-forcing with possible usernames, if you suddenly get a different error prompt, such as "Password is not matching," it indicates that the username already exists, meaning there is a user with that specific username. Now, you only need to crack the password, either through brute-forcing or other methods.

Go and experiment with some of the sites you know that are eligible for public bug bounty programs. While doing that activity, you will come across more ways to find the information disclosure vulnerability. The above examples are just a starting point to help you understand that there may be a chance to find the vulnerability by doing "this."

1. Pranav S V, hackernika. "Information Disclosure - StrawHat Hackers". Information Disclosure

2. Information disclosure vulnerabilities by portswigger . Article