Application Disclosure
- PCI 3.2-6.5.1
- CWE 200
- CAPEC 152
- OWASP 2017-A6
- WASC 33
- CAPEC 118
- WASC 13
- OWASP PC-C7
Application Disclosure occurs when a web application reveals sensitive internal information through HTTP headers, meta tags, error messages, or default responses. Examples include exposing framework names and versions, server software, database versions, or development/debugging details. Attackers can leverage this information to tailor attacks, exploit known vulnerabilities specific to the disclosed technologies, or perform targeted reconnaissance against the application.
Common patterns leading to application disclosure:
- HTTP headers such as
Server,X-Powered-By, orX-AspNet-Versionrevealing technology stack. - Meta tags in HTML providing framework or software version information.
- Verbose error messages exposing stack traces, database errors, or file paths.
- Default or sample pages included in deployments that disclose internal systems.
Impacts:
- Information Disclosure: Reveals system components and versions, facilitating targeted attacks.
- Exploitation of Known Vulnerabilities: Attackers can use disclosed version information to identify applicable CVEs or exploits.
- Facilitates Reconnaissance: Knowledge of application technologies aids in crafting attacks such as SQL Injection, XSS, or remote code execution.
- Increased Attack Surface: Provides attackers with insight into possible weak points or misconfigurations.
Detection indicators:
- HTTP responses containing server or framework version information.
- Meta tags revealing technology details.
- Error pages displaying stack traces or internal system information.
Remediation
Mitigation focuses on information hiding and secure configuration:
Remove or Modify Sensitive HTTP Headers
Hide or obfuscateServer,X-Powered-By, and other version-identifying headers.Sanitize Error Messages
Display generic error messages to end users while logging detailed errors internally.Review HTML Content
Remove meta tags or comments that disclose software versions or internal information.Disable Default or Sample Pages
Remove placeholder pages, sample applications, and development artifacts from production.Keep Systems Up to Date
Ensure frameworks, libraries, and server software are patched to reduce risk from disclosed versions.Monitor and Audit Exposure
Regularly scan for headers, error messages, or content disclosing application information.Security Testing
Include checks for application disclosure during penetration testing and automated scans.
References
Search Vulnerability
You may also see
- Internal IP Address Disclosure
- Username Disclosure
- Application Disclosure
- Email Disclosure
- Long Redirect Response
- Error Message
- Stack Trace
- Internal Path
- Not Secure Cookie
- Not Http-Only Cookie
- Sensitive Data in Query String
- Sensitive Data over HTTP
- Server Error
- Source Code Disclosure
- Information Leakage
- Web Backdoor
- Database Connection String
- Autocomplete Enabled
- Undefined Content-Type Header
- Missing X-Frame-Options Header
- File Upload Input Detected
- Mixed Content
- Insecure iFrame
- XPath Injection
- Basic Authentication over HTTP
- Forbidden Resource
- Multiple Choices Enabled
- Apache MultiViews Enabled
- GraphQL Endpoint Detected