Chapter 7: Information Disclosure

Information disclosure is one of the most abundant threats to an application and often the most overlooked. In short, information disclosure bugs involve giving too much information to individuals who are not supposed to be able to obtain that information. Some bugs are as obvious as an attacker gaining access to user credentials stored in clear text where the attacker can read them. However, some bugs are not as obvious, such as when extra data can be read only by viewing the file in a binary editor.

Problems with Information Disclosure

Although threat models and data flow diagrams should reveal some information disclosure threats, most of these bugs occur as a result of small implementation details or as side effects of intended functionality. As such, you should not rely solely on analyzing threat models and data flow diagrams to identify all the places where your application might disclose data.

Information disclosure bugs often are disregarded because the developer or program designer do not understand how an attacker could use the information obtained to help break the application. Huge mistake! Even though not all information is considered equal, if attackers can obtain some data that they should not have access to, they will try to use it against your application or service to exploit other vulnerabilities. It is important to understand how disclosing certain data can be a security problem.

For example, if a feature of an application discloses a user name when a certain error occurs, the attacker has obtained half the credentials needed to gain access to the system. Attackers can use the user name to guess the user s e-mail address, and then use social engineering or spoofing techniques to trick the user into taking action that gives the attacker an advantage. Because many users share similar ”if not the same ”passwords from one application to another, a weakness in one can cause a vulnerability for all the others.

Note  

We once tested a logon system for a Web site that allowed users to reset their forgotten passwords only by providing their user name. Once the user name was entered, the system would automatically change the password, and then e-mail a confirmation of the new password to the user. Not only did this feature create a potential denial of service for the user, it revealed the user s e-mail address in association with user name and changed password.

Information disclosures can also lead to embarrassments, such as when revisions in drafts of a document can be viewed , or when the history of Web sites visited, phone calls made, e- mails sent, and so forth are revealed. Many times a user wants to keep this type of information private.

Remember, attackers can and will use any information they gain to learn details about your application to use against you. They will disassemble your binaries, probe your Web applications, and pick apart your application s data files to gain a better understanding of how they can break the application. This chapter discusses common areas prone to information disclosure bugs, methods for identifying interesting data, and testing tips to help you shore up these types of vulnerabilities.



Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net