User Information Disclosure

OWASP 2013-A6 OWASP 2017-A3 OWASP PC-C8 CAPEC-375 WSTG-CRYP-03 WASC-13 CWE-200

Data handling is a major responsibility for a web application as the application might include sensitive information. The information might include product functionality information and many more. Older versions of SIPS (0.2.2 and lower) stores sensitive information under the web root with insufficient access control. This negligence by the SIPS will allow a remote attacker to obtain the password and other sensitive user information via a direct request to a user-specific configuration directory. The intensity of damage can be only be measured depending upon the data leaked. The information leakage for server might range from server’s critical and sensitive server configuration to user account details.

The different attacks possible under information disclosure are:-

  • Banner Grabbing: The attacker grabs information about the server by sending different requests to the victim server.
  • Source code disclosure: If the victim server is not properly configured, the attacker can gain access to the source code of the application. The attacker can scan the code to hardcoded user credentials, API keys and many more.
  • Unsafe handling of sensitive data: If the applications handle the data in an unsafe manner, the attacker can use attacks like MITM attack to sniff data off the communication channel.
  • File names and path: If an attacker gets access to any files or path of the application, the attacker can use directory traversal attack to go unauthorised paths of the server.

Example

https://www.example.beaglesecurity.com/[sips_directory]/sipssys/users/[first_letter_of_UserID]/

The above URL will give the attacker, the access to usernames and passwords of all the application’s user.

Impact

The impact include:-

  • Possible loss of sensitive information.
  • Possible manipulation of information by the attacker.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Update the SIPS version to 31 or above.
  • Try to implement access control more Carefully.
  • Make the response headers of the application doesn’t reveal any information about the backend server.
  • Services running on open ports of the server should not reveal any information about the application.
  • Make sure the application denies directory listing.
  • Try not to hardcode user credentials and API keys and much more sensitive information.
  • Make sure the application doesn’t output any errors of the server on user’s page.

Latest Articles