The smallest bugs that unlock the biggest chains
Information disclosure is the section every beginner skips and every senior hunter loves. On its own, an info-disclosure finding rarely pays much. Combined with one or two other bugs it almost always becomes the foundation of a high-severity report.
What counts as info disclosure
Any data the application reveals to a user who should not see it. That includes verbose error messages with stack traces, leftover backup files, hidden API endpoints buried in JavaScript bundles, debug headers, and behavioural side channels — for instance an endpoint that responds in twenty milliseconds for invalid users and three hundred milliseconds for valid ones.
Why this section comes first
Recon and information disclosure are the soil every other bug grows in. You cannot exploit an admin endpoint you never discovered, and you cannot escalate to admin if you never found the credentials. Eight lessons in this section teach you the discovery skills the rest of the course relies on.
