- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Information leakage allows an application to reveal sensitive data such as technical details of the application, developer comments, environment, or user-specific data. An attacker may use this sensitive data to exploit the target application, its hosting network, or its users.
In its most common form, information leakage is the result of one or more of the following conditions: a failure to scrub out HTML/script comments containing sensitive information; improper application or server configurations, or differences in page responses for valid vs. invalid data.
Sensitive information may be present within HTML comments, error messages, source code, or left in plain sight, and there are many ways a website can be coaxed into revealing this type of information. While Information Leakage doesn't necessarily represent a security breach, it gives an attacker useful guidance for future exploitation.
Information leakage is represented in the OWASP Top 10 under Sensitive Data Exposure. As OWASP has stated, 'Rather than directly attacking crypto, attackers steal keys, execute man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user's client, e.g., browser. A manual attack is generally required’.