What I learned from reading 126* Information Disclosure Writeups
Let’s tackle the most valuable and mysterious bug type…
Considering becoming a member on medium? Use this link at no extra cost to yourself, and support me :) (https://medium.com/@nynan/membership)
I did it again! You enjoyed my last post “What I learnt from reading 220* IDOR bug reports” so much, that I chose a new bug, scraped as many writeups as I could, and then went into hibernation with a coffee, a laptop and 126 Writeups, and I have emerged with one condensed article, with actionable insight into this critical vulnerability type.
First, let’s establish some basic points:
- Information disclosure does not have a payload, thus contextual and qualitative data is important to understand how to succeed. This article should provide help to provide this.
- Information Disclosure is the 3rd highest paying bug. (More than IDOR, SQLi, PrivEsc, etc)
- “It seems random”, “It’s based on luck and the developer messing up, not skill”. At first, I was quasi-onboard with this sentiment, but after reading all of the reports, I have managed to break them down…