// recon knowledge base

ReconAtlas  /  checklists  /  info-disclosure

Information Disclosure

Analysis LOW v1.0.0 updated 2026-04-04

Identify unintentional exposure of sensitive data — API keys, credentials, stack traces, internal hostnames, and developer artifacts — across all discovered surfaces.

Tools

nucleigitleakstrufflehoggospidergrepcurl

Machine-readable JSON available at:

https://reconatlas.pages.dev/api/checklists/info-disclosure

Tags

analysissecretsdisclosurejs-analysisgitheaderserror-handling

// checklist steps

infodis-01

JavaScript secret scanning

Scan all JavaScript files for hardcoded credentials, API keys, and internal endpoints.

cat js-files.txt | xargs -I{} curl -sk {} | grep -iE '(api_key|apikey|secret|password|token|bearer|auth|private|aws_|AKIA)'
nuclei -l js-files.txt -t exposures/tokens/ -t exposures/apis/ -o js-secrets.txt
trufflehog filesystem ./downloaded-js/ --json > trufflehog-out.json

infodis-02

Git and VCS exposure

Check for exposed .git directories, CI configs, and source code leakage.

curl -sk https://target.com/.git/config
curl -sk https://target.com/.git/HEAD
nuclei -l live-hosts.txt -t exposures/files/git-config.yaml -o git-exposure.txt
gitjacker https://target.com -o git-dump/

A reachable .git/config reveals the repository origin URL, author emails, and sometimes credentials stored in the remote URL.

infodis-03

HTTP response header analysis

Review HTTP headers for server fingerprints, internal addresses, and security misconfigurations.

curl -sk -I https://target.com | grep -iE '(server|x-powered-by|x-aspnet|x-generator|via|x-forwarded|x-real-ip)'
nuclei -l live-hosts.txt -t misconfiguration/http-missing-security-headers.yaml -o headers-out.txt
httpx -l live-hosts.txt -include-response-header -o headers-full.txt

X-Powered-By, Server, and X-AspNet-Version headers reveal exact technology versions. Cross-reference with known CVEs.

infodis-04

Error message and stack trace harvesting

Trigger application errors to expose framework details, file paths, and internal logic.

# Send invalid input types to JSON endpoints
curl -sk -X POST https://target.com/api/users -d '{"id": "../../../etc/passwd"}' -H 'Content-Type: application/json'
# Fuzz parameters with unexpected types
ffuf -u 'https://target.com/api/FUZZ' -w special-chars.txt -mc 500 -o errors-out.json

infodis-05

Cloud storage and backup file enumeration

Check for exposed S3 buckets, GCS buckets, and backup file extensions.

ffuf -u 'https://target.com/FUZZ' -w /usr/share/seclists/Discovery/Web-Content/backups.txt -mc 200 -o backups-out.json
nuclei -l live-hosts.txt -t exposures/backups/ -o backup-findings.txt
# Test for public S3 bucket
aws s3 ls s3://target-bucket --no-sign-request

Overview

Information disclosure findings range from low-severity (banner versions) to critical (exposed credentials or source code). The high-to-low severity gradient makes this phase valuable for quick wins early in an engagement.

Passive before active

Many information disclosure issues are discoverable without sending a single active request: check JS files, historical URLs, and public git commits first.

High-value targets

  • .env files with database credentials and API keys
  • AWS credentials (AKIA...) in JavaScript or git history
  • Swagger/OpenAPI specs at /api-docs, /swagger.json, /openapi.json
  • Kubernetes config files (/api/v1, /healthz, /metrics)
  • Internal IP addresses and hostnames in error messages or headers

// references

  1. https://github.com/gitleaks/gitleaks
  2. https://github.com/trufflesecurity/trufflehog
  3. https://github.com/projectdiscovery/nuclei
  4. https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure
  5. https://portswigger.net/web-security/information-disclosure
← All checklists JSON ↗