Introduction
I feel like a lot of mystery surrounds this topic. A lot of people seem to wonder which data is sensitive when exposed. Some people seem to think every single API key disclosed in a JS file is a vulnerability but ofcourse this is not the case! Some API keys are supposed to be used by XHR requests and they are supposed to be public. When it comes to information disclosers we always have to keep in mind that what we see should be private and even then it’s not guaranteed to be a vulnerability. Depending on which viewpoint you take (Pentesters or Bug Bounty Hunters) you should be less or more careful with what you report. We will go much deeper into this when we talk what to report and what not to report.
In this article we will talk about kinds of information disclosure going from debug information to admin passwords.
How does it occur
There are several places we can go looking for sensitive information. let’s start by listing all the ways sensitive data exposure can occur.
- A post-it on the monitor with a password. This one is pretty obvious.
- Debug information is very useful for both pentesters and bug bounty hunters.
- Github repository with either passwords directly committed into a public…
