Information Disclosure Pentest
Your API Just Told Me Everything I Needed to Know
Here is how easy it is: I send a request to your API, and instead of a simple 'access denied' message, your server responds with Error: User 4532 does not have permission to access credit_card_number for User 4531. You just confirmed that user exists, that they have credit card data stored, and exactly what field name you use. That is an information disclosure vulnerability, and it is handing attackers a roadmap to your most sensitive data.
What Is Your Application Accidentally Telling Attackers?
Let me be blunt with you: most applications are leaking information they should not be sharing. Not through sophisticated exploits or zero-day vulnerabilities, but through basic mistakes that happen every single day. Verbose error messages. Stack traces in production. API responses that include fields nobody asked for. Debug headers left enabled. Each one is an information disclosure vulnerability waiting to be exploited.
Think about what happens when an attacker probes your system. They try to access a resource they should not have permission to view. A well-designed system returns a generic 'not found' or 'access denied' response. But your system? It might say 'You do not have permission to view invoice #47832 for customer Acme Corp.' Now the attacker knows that invoice exists, who it belongs to, and can start enumerating other invoice numbers.
Or consider your error handling. In development, detailed error messages help you debug. In production, those same messages become intelligence for attackers. A stack trace revealing your database schema, file paths exposing your server structure, or API responses containing internal user IDs - all of these transform simple errors into security reconnaissance.
The scary part about a credit card information leak? It often happens through these exact mechanisms. In 2024, a misconfiguration at Quoality (a hotel management platform) exposed full credit card details of over one million hotel guests, including CVV codes and expiry dates. This was not some advanced attack - it was an authorization configuration that leaked data it should have protected.
Think your application is immune?
PentestMate's AI agents find these flaws in 87% of the apps we test.
What Our AI Agents Look For
Unlike automated scanners that look for code signatures, our agents understand your business logic and test it like a real attacker would.
Verbose Error Messages
HIGHWe probe your application for error responses that reveal internal details: stack traces, database errors, file paths, user enumeration, and schema information. These give attackers the reconnaissance they need to plan deeper attacks.
API Response Over-Exposure
CRITICALMany APIs return entire objects when only specific fields were requested. We test whether your endpoints leak sensitive fields like credit card numbers, SSNs, internal IDs, or authorization tokens in their responses.
Debug Mode in Production
CRITICALDevelopment configurations accidentally deployed to production. We check for exposed debugging endpoints, verbose logging, source maps, and development headers that reveal your application internals.
Authorization Error Leakage
HIGHYour access control returns different error messages for 'user does not exist' vs 'you do not have permission.' This information disclosure vulnerability lets attackers enumerate valid resources and users.
Header Information Disclosure
MEDIUMServer headers revealing technology stack, version numbers, and internal infrastructure details. We identify headers like X-Powered-By, Server versions, and custom debug headers that should not be public.
Source Code and Configuration Exposure
CRITICALBackup files, exposed git directories, configuration files accessible via web, and JavaScript source maps that reveal your application logic and potential vulnerability points.
“Information disclosure vulnerabilities arise when an application unintentionally reveals sensitive information to users. This can include data the application handles, technical details about the application or its environment, or information about other users.”
Why Information Disclosure Is the Gateway to Bigger Breaches
Information disclosure might sound like a minor issue compared to SQL injection or remote code execution. But here is what attackers know: every major breach starts with reconnaissance. The more your application tells them, the faster they find the real vulnerabilities.
The Danger of Helpful Error Messages
Your application is trying to be helpful. When something goes wrong, it explains exactly what happened. The problem? Attackers are listening. Every detailed error message is a piece of the puzzle they are assembling.
// What your API returns when someone probes for data:
// BAD: Information disclosure vulnerability in action
{
"error": true,
"message": "Access denied: User john.doe@company.com cannot
view credit_card records for account #45821",
"debug": {
"query": "SELECT * FROM payments WHERE user_id = 45821",
"table": "payments",
"columns": ["id", "user_id", "credit_card_number", "cvv", "expiry"],
"server": "db-prod-east-2.internal.company.com"
}
}
// What an attacker learns:
// 1. The email format your company uses
// 2. Account numbers are sequential integers (enumerable)
// 3. Your database schema including sensitive column names
// 4. You store CVV codes (PCI compliance violation)
// 5. Your internal server naming convention
// GOOD: Secure error response
{
"error": true,
"message": "Access denied",
"requestId": "req_x7k9m2p4" // For internal debugging only
}That debug object might only appear when DEBUG=true, but how confident are you that flag is not set in production? How about in your staging environment that shares the production database?
Credit Card Information Leak Through API Over-Exposure
This is where credit card information leak vulnerabilities commonly occur. Your API fetches a complete user object from the database and returns it to the frontend. The frontend only displays the name and email. But the full response contains everything, including payment data.
// The API endpoint: GET /api/users/profile
// What the frontend displays:
// Name: John Smith
// Email: john@example.com
// What the API actually returns (check Network tab):
{
"id": 45821,
"name": "John Smith",
"email": "john@example.com",
"phone": "+1-555-0123",
"ssn": "123-45-6789", // Credit card information leak!
"payment_methods": [
{
"type": "credit_card",
"number": "4532015112830366", // Full card number exposed
"cvv": "847", // CVV should NEVER be stored
"expiry": "03/2027",
"billing_address": "123 Main St, New York, NY 10001"
}
],
"internal_notes": "VIP customer - approved for $50k credit line",
"created_at": "2019-03-15T08:22:14Z"
}
// The frontend only uses name and email
// But the ENTIRE response goes to the browser
// Attackers just open DevTools to see everything
// The fix: Only return what is needed
{
"name": "John Smith",
"email": "john@example.com"
}Your frontend might be clean, but the API response contains your users' complete financial lives. This is exactly what happened in the Quoality breach, where full payment card data was accessible through their API.
User Enumeration Through Authorization Differences
Subtle differences in how your application responds to valid vs invalid resources is a classic information disclosure vulnerability. Attackers use this to map out your entire user base before launching targeted attacks.
// Probing for valid usernames:
// Request 1: Non-existent user
POST /api/login
{"email": "definitely.fake@random.com", "password": "test"}
Response: {
"error": "No account found with that email" // User does NOT exist
}
// Request 2: Valid user (wrong password)
POST /api/login
{"email": "real.employee@company.com", "password": "test"}
Response: {
"error": "Invalid password" // User EXISTS!
}
// Even worse - timing-based disclosure:
// Invalid user: 50ms response (immediate rejection)
// Valid user: 250ms response (password hash comparison)
// Attackers can now:
// 1. Build a list of valid email addresses
// 2. Target those accounts for password spraying
// 3. Use the emails for phishing campaigns
// 4. Sell the validated email list
// SECURE: Consistent response for both cases
Response: {
"error": "Invalid email or password"
}
// AND ensure consistent response timingThis applies to password reset flows too. If your reset page says 'Email sent!' for valid accounts but 'No account found' for invalid ones, you have just given attackers a user validation oracle.
Debug Mode Left in Production
It happens more often than anyone wants to admit. Development configurations make it to production. Debug endpoints stay enabled. And suddenly, attackers have a window into your entire system.
// Common debug endpoints found in production:
/debug - Application debugging console
/phpinfo.php - Complete PHP configuration exposure
/server-status - Apache server metrics and connections
/actuator/env - Spring Boot environment variables
/graphql/playground - Interactive GraphQL interface
/.git/config - Git repository configuration
/api/swagger.json - Complete API documentation
/elmah.axd - .NET error logs with stack traces
/__debug__/ - Framework debug toolbars
// What attackers find in exposed debug endpoints:
{
"environment": "production", // Oops
"database": {
"host": "db.internal.company.com",
"user": "app_production",
"password": "Pr0d_DB_2024!", // Credentials in debug output
"database": "customers_prod"
},
"stripe_api_key": "sk_live_51ABC...", // Payment API keys
"jwt_secret": "super-secret-key-123", // Token signing key
"aws_access_key": "AKIA...", // Cloud credentials
"internal_api_tokens": {
"payment_gateway": "tok_prod_xyz",
"email_service": "key_123abc"
}
}
// One debug endpoint exposure = complete system compromiseThat deployment script that sets DEBUG=false? It failed silently once, three months ago. Nobody noticed. PentestMate checks for exposed debug endpoints on every scan because this misconfiguration can appear at any time.
The Real Cost: From Disclosure to Breach
Information disclosure is rarely the end goal. It is the first step in a chain that leads to full compromise. Let me show you how attackers connect the dots from your leaked information to a complete breach.
// Attack chain starting from information disclosure:
// Step 1: Find verbose error message
GET /api/users/99999999
Response: "User not found in table 'users' (MySQL 8.0.28)"
// Learned: MySQL database, table name, potential injection point
// Step 2: Enumerate valid users through response differences
GET /api/users/1 -> 403 Forbidden (user exists!)
GET /api/users/2 -> 403 Forbidden (user exists!)
GET /api/users/3 -> 404 Not Found (does not exist)
// Learned: Valid user IDs are 1 and 2
// Step 3: Find exposed API documentation
GET /swagger.json
// Learned: All API endpoints including admin functions
// Step 4: Discover debug endpoint
GET /actuator/env
// Learned: Database credentials, API keys, JWT secret
// Step 5: Access admin endpoint with JWT forgery
// Using the leaked jwt_secret to create admin token
// Step 6: Full database access
// Download complete customer table including credit cards
// Total time from first request to breach: 47 minutes
// Root cause: Information disclosure at every stepThe 2019 Capital One breach that exposed 106 million records started with a misconfigured firewall that disclosed server metadata. One piece of information led to another until complete access was achieved.
Still reading? Good. That means you care about security.
Most people would've clicked away by now. Let PentestMate find out if your application has these vulnerabilities - before someone else does.
Stop Reading About Vulnerabilities.
Start Finding Them.
Everything you have read above? Our AI agents test for all of it - automatically, continuously, and without you lifting a finger.
Deep Response Analysis
Our AI agents analyze every API response for data that should not be there, from hidden fields in JSON to sensitive information in headers that your tests might miss.
Continuous Disclosure Monitoring
New deployments can accidentally expose sensitive data. PentestMate runs 24/7, catching information disclosure the moment it appears in your production environment.
Instant Leak Alerts
When we detect exposed credit card fields, leaked credentials, or verbose error messages, you get notified immediately with exact details of what is exposed and where.
Start with a $1 trial - full access to all PentestMate AI-powered security testing
Quick Business Logic Security Checklist
Use this as a starting point. If you're missing even one of these, you have a problem.
Error Handling
- Return generic error messages in production
- Log detailed errors server-side only
- Use request IDs for debugging without exposing internals
- Ensure consistent error responses for auth failures
- Never expose stack traces to end users
API Response Security
- Return only requested fields, not entire objects
- Never include credit card numbers in API responses
- Strip internal IDs and metadata from responses
- Validate response content before sending
- Use DTOs to control exactly what data leaves your server
Production Configuration
- Disable all debug modes in production
- Remove or restrict debug endpoints
- Strip server version headers
- Disable source maps for production builds
- Audit deployment scripts for configuration drift
Sensitive Data Protection
- Never store CVV codes (PCI DSS requirement)
- Mask or truncate credit card numbers in all contexts
- Encrypt sensitive fields at the database level
- Implement field-level access controls
- Audit logs for sensitive data exposure
Not sure if your system passes all these checks? Let PentestMate's AI agents find out for you.
Run Automated Security TestingReal-World Business Logic Breaches
These aren't hypotheticals. These are real companies that got burned by the exact vulnerabilities we've discussed:
Capital One (2019)
106 million credit card applications and accounts exposedWhat happened: Misconfigured firewall leaked server metadata, enabling deeper access to customer data
Lesson: Information disclosure in infrastructure can cascade to full data breach. Even metadata leaks can be the first step in an attack chain. (Source: Capital One official announcement)
Quoality Hotel Platform (2024)
Over 1 million hotel guests' credit cards leaked, including CVV codesWhat happened: Authorization misconfiguration exposed guest booking data including full credit card details
Lesson: Storing CVV codes violates PCI DSS. This credit card information leak included data that should never have been retained. (Source: Cybernews)
Equifax (2017)
147.9 million Americans' personal data compromised, including SSNsWhat happened: Verbose error messages and unpatched vulnerability combined to expose consumer data
Lesson: Error handling that reveals system details helps attackers chain vulnerabilities together for maximum impact. (Source: Wikipedia)
What Secrets Is Your Application Accidentally Sharing?
Your error messages, API responses, and server headers might be giving attackers exactly what they need. Our AI agents systematically probe your application for information disclosure, from credit card information leak vulnerabilities to exposed debug endpoints. Find out what you are accidentally revealing before someone else does.
Related Security Tests
IDOR Vulnerability Testing
Learn more
Broken Function Level Authorization Testing
Learn more
Authentication & JWT Pentesting
Learn more
Explore more security testing capabilities on our main site.
Back to PentestMate