It is possible to obtain technical information such as:
- System component versions (HTTP headers, service banner, etc.).
- Specific information about the configuration of server components (php.ini, web.config).
Gather technical information to craft new attack vectors
Delete the services' banner information leakage. Verify that HTTP headers do not expose any name or version.
Authenticated attacker from the Internet
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
- Attack vector: N
- Attack complexity: L
- Privileges required: N
- User interaction: N
- Scope: U
- Confidentiality: N
- Integrity: N
- Availability: N
- Exploit code madurity: X
- Remediation level: X
- Report confidence: X
- Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:X/RL:X/RC:X
- Base: 0.0
- Temporal: 0.0
- Base: None
- Temporal: None
In front-end programming,
provides access to the browser's
Arguments passed to
are visible to the user that
is using the website,
it's also visible to attackers.
As per Fluid Attacks' criteria2 the application must not disclose internal system information such as stack traces because this information can be leveraged to further exploit other vulnerabilities.
Developers tend to do debugging the following way:
But this ends in lots of information that attackers use to better understand the inner workings on the system, aiding them in creating and improving attack vectors.