This document discusses application layer fuzzing and the potential information leaks that can occur. It describes how an attacker can inject faults through HTTP requests to trigger exceptions and scan responses for signatures. Errors can reveal details like the technology stack, network architecture, intranet applications, database connection information, file system layouts, and authentication mechanisms. Information leaks occur when deployment components like web servers and databases are misconfigured or have vulnerabilities, or when application source code does not properly handle errors. Various examples show how errors from web servers, application servers, databases, and source code can disclose internal paths, nature of errors, and potential injection points.

1. Application Layer Fuzzing

2. Attacker’s approach
• Fuzzing over HTTP
• Injecting faults with various set of payload
• Try to raise the exception
• Exception throw message back as part of HTTP
response
• Scanning response for signatures
• If signature found, it becomes interesting
entry for exploitation

3. Possible Leaks
• Errors can send information about technology stack and
weaknesses. In some cases error helps in fingerprinting web
and application servers running on target application.
• Internal IP addresses and architecture layout for network.
• Intranet applications and their setups.
• Type of backend database and its connection information.
• Internal folders and file system layout for application.
• Username and authentication mechanism and disclosures.
• Hidden paths and folder which helps in retrieving several
other files and internal database information.
• Error code and other relevant information which helps in
analyzing possible cause for an attacker.

4. Root cause
• Deployment cause – Application runs on technology stack,
it involves web server, application servers, plugins and
handlers, database server etc. If these components are not
configured properly or having inherent vulnerability then it
can lead to information disclosure.
• Source code cause – If application source code is not having
best practices for error or exception handling then it ends
up leaking information to end client as part of business
logic. This set of information can help in detecting
vulnerability or end up sharing internal logic information.

5. Error handlers
Web Server
Application Server
Source Code
Database/Auth/Backend
HTTP
Request
HTTP
Response
Error
Messages

6. File not found errors
• HTTP 404 - not found
server id
server id

7. Internal server errors
• HTTP 500 error messages:
nature of
error
revealed
in error
code

8. PHP error example
• Attempting to read a file which does not exist:
Internal path
disclosed.

9. Application error message example
• Attempting to place an order that already
exists:
Internal path
disclosed.

10. MySQL error example
• Generated from a failed PHP MySQL query:
Possible SQL
injection point
uncovered.

11. MS-SQL error example
• Generated from a failed ASP MS-SQL query:
Possible SQL
injection point
uncovered.

12. Tools & Conclusion