What I learned from reading 126* Information Disclosure Writeups

Banner

Let’s tackle the most valuable and mysterious bug type…

Considering becoming a member on medium? Use this link at no extra cost to yourself, and support me :) (https://medium.com/@nynan/membership)

I did it again! You enjoyed my last post “What I learnt from reading 220* IDOR bug reports” so much, that I chose a new bug, scraped as many writeups as I could, and then went into hibernation with a coffee, a laptop and 126 Writeups, and I have emerged with one condensed article, with actionable insight into this critical vulnerability type.

3 months of reading for this article. Enjoy :)

First, let’s establish some basic points:

• Information disclosure does not have a payload, thus contextual and qualitative data is important to understand how to succeed. This article should provide help to provide this.
• Information Disclosure is the 3rd highest paying bug. (More than IDOR, SQLi, PrivEsc, etc)
• “It seems random”, “It’s based on luck and the developer messing up, not skill”. At first, I was quasi-onboard with this sentiment, but after reading all of the reports, I have managed to break them down…