Full Path Disclosure

Full Path Disclosure

Overview of the VUlnerability

Visible detailed error pages are a result of improper error handling which introduces a variety of security problems for a website. Detailed internal error messages, such as error codes, stack traces and database dumps, can be displayed publicly, leaking implementation information.

The full path disclosure leaked by this application displays implementation information which should not be publicly available. An attacker can collect this data and combine it with other attack vectors to increase the severity and impact of malicious attacks on the application and access the paths displayed.

Business Impact

This vulnerability can impact customers’ trust in the application which can result in reputational damage for the business and indirect financial losses.

Steps to Reproduce

1. Use a browser to navigate to: {{URL}}

2. Observe detailed error message showing the full path disclosure

Proof of Concept (PoC)

The following screenshot shows the data disclosed in the full path disclosure:

{{screenshot}}

Recommendation(s)

It is best practice to create a policy around what occurs when an error is made in the application, detailing what information is sent to the user and what information is logged. This policy should be circulated across all development teams so that their code adheres to the policy.

When an error occurs the site should respond with a generic error message to the user that does not display internal details about the error or the underlying system.

For more information refer to the following guides relating to this vulnerability:

• https://owasp.org/www-community/Improper_Error_Handling

• https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html

• https://cwe.mitre.org/data/definitions/209.html