The IDOR vulnerabilities covered in Chapter 10 are a common way for applications to leak private information about users. But an attacker can uncover sensitive information from a target application in other ways too. I call these bugs information disclosure bugs. These bugs are common; in fact, they’re the type of bug I find most often while bug bounty hunting, even when I’m searching for other bug types.

These bugs can happen in many ways, depending on the application. In this chapter, we’ll talk about a few ways you might manage to leak data from an application, and how you can maximize the chances of finding ...