CWE-200: Information Exposure

Overview

This guidance helps interpret DAST findings for CWE-200: Information Exposure. During dynamic scanning, the scanner detected that HTTP responses disclosed sensitive internal information not intended for public access - such as system paths, version numbers, internal IPs, or configuration details.

What the DAST scanner detected:

• Verbose error messages containing stack traces, SQL errors, or absolute file paths
• Version disclosure in HTTP headers (Server: Apache/2.4.41, X-Powered-By: PHP/7.4.3, X-AspNet-Version: 4.0.30319)
• Directory listings exposing file structures (Index of /uploads/, Parent Directory links)
• Debug endpoints (/debug, /phpinfo.php, /actuator/env, /.well-known/, /server-status) returning internal application state
• Backup or configuration files (.git/config, .env, web.config.bak, database.yml) accessible via HTTP
• Internal IP addresses or hostnames in responses, cookies, or headers
• Session token patterns revealing format or generation logic

Key DAST evidence:

• Error response contains: FileNotFoundError at /var/www/app/controllers/user.py line 42
• HTTP header: X-Powered-By: Express 4.17.1, Server: nginx/1.18.0 (Ubuntu)
• Response from /.git/config exposes repository URL: [remote "origin"] url = git@github.com:company/internal-app.git
• Directory listing at /uploads/ shows all uploaded files with timestamps
• /phpinfo.php accessible, displaying full PHP configuration including database credentials
• Response includes internal IP: X-Forwarded-For: 192.168.1.100

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

When reviewing your security scan results, you'll see:

HTTP Request Details

• URL and endpoint that triggered the finding
• HTTP method (GET, POST, etc.)
• Query parameters or form data with test payloads
• Request headers and body content

HTTP Response Evidence

• Response showing the vulnerability manifestation
• Evidence of improper handling or unexpected disclosure
• Runtime behavior indicators

Attack Vector

• Which parameter or input is vulnerable
• Type of exploitation possible
• Context where the vulnerability appears

Mapping DAST Findings to Source Code

Find the Vulnerable Endpoint

Use the HTTP request URL to locate the code:

# Search for information-exposing endpoints
grep -r "/debug" src/
grep -r "/status" src/
grep -r "/info" src/
grep -r "/config" src/
grep -r "/.git" src/

Locate the Response Handler

Common patterns to search for:

• Python Flask/Django: Debug pages, version endpoints
• Node.js Express: /health, /status, environment info
• Java Spring: Actuator endpoints, debug mode
• ASP.NET: Error pages, trace endpoints
• PHP: phpinfo(), exposed config files

Find Information Disclosure

Search for sensitive data exposure:

# Find potentially exposed information
grep -r "phpinfo" src/
grep -r "DEBUG.*True" src/
grep -r "version" src/
grep -r "X-Powered-By" src/

Trace to Vulnerable Operation

Look for exposed information:

• Debug/development endpoints: Active in production
• Version information: Server versions, framework versions in headers
• Source code: .git, .env, backup files accessible
• Directory listings: Enabled on web server
• Internal IPs/paths: Leaked in responses or comments
• API documentation: Swagger/OpenAPI publicly accessible

Remediation

Core Principle: Never return sensitive or internal information to a client unless it is explicitly required for that client’s authorized function; all responses must be constructed from an allowlisted exposure model, not from internal state.

→ For comprehensive remediation guidance, see Static CWE-200 Guidance

Verification and Follow-Up Testing

After applying the fix:

Reproduce the Vulnerability

# Test for information disclosure
curl "http://localhost:3000/debug"
curl -I "http://localhost:3000/" | grep -i "x-powered-by\|server\|version"
curl "http://localhost:3000/.git/config"

Verify the Fix

• Confirm debug endpoints disabled in production
• Verify version headers removed
• Check source code/config files not accessible
• Ensure directory listings disabled
• Test sensitive endpoints require authentication

Test Edge Cases

# Debug/admin endpoints
/debug
/phpinfo
/info
/status
/actuator
/swagger-ui.html

# Version disclosure
curl -I "/" | grep -i "X-Powered-By|Server"

# Source code disclosure
/.git/config
/.env
/backup.sql
/web.config
/.DS_Store

# Comments in HTML
curl "/" | grep -i "TODO\|password\|admin"

# Or use browser DevTools Network tab to copy as cURL

Re-run DAST Scanner

Run your dynamic scanner again on the fixed endpoint to confirm remediation.

Additional Resources

• CWE-200: Information Exposure
• OWASP Top 10 2025 A01: Broken Access Control
• OWASP ZAP Alert: Application Error Disclosure (ID: 90022)
• OWASP ZAP Alert: Information Disclosure - Debug Errors (ID: 10023)
• OWASP ZAP Alert: Server Leaks Version Information (ID: 10036)
• PortSwigger: Information Disclosure