Testing for Information Disclosure
Fuzzing
- Identify interesting parameters in the web application
- Submit unexpected data types or specially crafted fuzz strings to see the response
- Automate this process with Burp Intruder a. Add payload positions to parameters and use pre-built wordlists of fuzz strings b. Easily identify differences in responses by comparing HTTP status code, response times, etc. c. Use grep matching rules to identify occurrences of keywords
Burp Scanner
- Run a Burp Scan to get the following: a. Live scanning features while browsing the website b. Schedule automated scans to crawl and target the target site on your behalf c. Automatically flag information disclosure vulns for you
Burpsuite Engagement Tools
- Right click any HTTP message and select "Engagement tools"
- Search a. Look for any expression within the selected item
- Find Comments a. Extract any developer comments found in a selected item
- Discover Content a. Identify additional content and functionality not linked in visible website