Cwe Error Message Information Leak
Contents |
View Reports Mapping & Navigation About Sources Process Documents FAQs Community Use & Citations SwA On-Ramp Discussion List Discussion Archives Contact Us Scoring information leakage examples Prioritization CWSS CWRAF CWE/SANS Top 25 Compatibility Requirements Coverage ClaimsRepresentation Compatible Products
Information Exposure Through An Error Message Solution
Make a Declaration News Calendar Free Newsletter Search the Site CWE Glossary Definition Presentation Filter: --None-- Basic information exposure through sent data (cwe id 201) Summary High Level Acquisition Development Manager Development Education Vulnerability Research Mapping-Friendly CWE-209: Information Exposure Through an Error Message Information Exposure Through an Error Message Weakness ID: 209 (Weakness Base)Status:
Information Exposure Through An Error Message Fix
Draft Description Description SummaryThe software generates an error message that includes sensitive information about its environment, users, or associated data. Extended Description The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. If an attack fails, an attacker may use error information provided application error message security vulnerability by the server to launch another more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of ".." sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query. Time of Introduction Architecture and Design Implementation System Configuration Operation Applicable Platforms Languages PHP: (Often) All Common ConsequencesScopeEffect ConfidentialityTechnical Impact: Read application dataOften this will either reveal sensitive information which may be used for a later attack or private information stored in the server. Likelihood of ExploitHigh Detection Methods Manual AnalysisThis weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.Effectiveness: High Automated AnalysisAutomated methods may be able to detect certain idioms auto
View Reports Mapping & Navigation About Sources Process Documents FAQs Community Use & Citations SwA On-Ramp Discussion List Discussion Archives
What Is Verbose Error Messages
Contact Us Scoring Prioritization CWSS CWRAF CWE/SANS Top 25 Compatibility Requirements
How To Fix Information Exposure Through Sent Data
Coverage ClaimsRepresentation Compatible Products Make a Declaration News Calendar Free Newsletter Search the Site CWE Glossary Definition information leakage and improper error handling Presentation Filter: --None-- Basic Summary High Level Acquisition Development Manager Development Education Vulnerability Research Mapping-Friendly CWE-211: Information Exposure Through Externally-generated Error Message Information Exposure Through Externally-generated Error https://cwe.mitre.org/data/definitions/209.html Message Weakness ID: 211 (Weakness Base)Status: Incomplete Description Description SummaryThe software performs an operation that triggers an external diagnostic or error message that is not directly generated by the software, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information. Time of Introduction Architecture https://cwe.mitre.org/data/definitions/211.html and Design Implementation Operation Applicable Platforms Languages PHP: (Often) All Common ConsequencesScopeEffect ConfidentialityTechnical Impact: Read application data Enabling Factors for Exploitation PHP applications are often targeted for having this issue when the PHP interpreter generates the error outside of the application's control. However, it's not just restricted to PHP, as other languages/environments exhibit the same issue. Observed ExamplesReferenceDescription CVE-2004-1581chain: product does not protect against direct request of an include file, leading to resultant path disclosure when the include file does not successfully execute. CVE-2004-1579Single "'" inserted into SQL query leads to invalid SQL query execution, triggering full path disclosure. Possibly resultant from more general SQL injection issue. CVE-2005-0459chain: product does not protect against direct request of a library file, leading to resultant path disclosure when the file does not successfully execute. CVE-2005-0443invalid parameter triggers a failure to find an include file, leading to infoleak in error message. CVE-2005-0433Various invalid requests lead to information leak in verbose error messages describing the failure to instantiate a
workings, or violate privacy through a variety of application problems. Applications can also leak internal state via how long they take to process certain operations or via different responses to differing https://www.owasp.org/index.php/Top_10_2007-Information_Leakage_and_Improper_Error_Handling inputs, such as displaying the same error text with different error numbers. https://www.security-database.com/cwe.php?name=CWE-209 Web applications will often leak information about their internal state through detailed or debug error messages. Often, this information can be leveraged to launch or even automate more powerful attacks. 1 Environments Affected 2 Vulnerability 3 Verifying Security 4 Protection 5 Samples 6 Related Articles 7 error message References Environments Affected All web application frameworks are vulnerable to information leakage and improper error handling. Vulnerability Applications frequently generate error messages and display them to users. Many times these error messages are quite useful to attackers, as they reveal implementation details or information that is useful in exploiting a vulnerability. There are several common examples of information exposure through this: Detailed error handling, where inducing an error displays too much information, such as stack traces, failed SQL statements, or other debugging information Functions that produce different results based upon different inputs. For example, supplying the same username but different passwords to a login function should produce the same text for no such user, and bad password. However, many systems produce different error codes Verifying Security The goal is to verify that the application does not leak information via error messages or other means. Automated approaches: Vulnerability scanning tools will usually cause error messages to be generated. Static analysis tools can search for the use of APIs that leak information, but will not be able to verify the meaning of those messages. Manual approaches: A code review can search for improper error handling and other patterns that leak information, but it is time-consuming. Testing will also generate error messages, but knowing what error paths were covered is a challenge. Protection Developers should use tools like OWASP's WebScarab to try to m
Vulnerability DNA APIvDNA : Vulnerability DNA API DocumentationCWE : Common Weakness EnumerationCAPEC : Common Pattern EnumerationDPE : Default Password EnumerationCPE : Common Plateform EnumerationOVAL RepositoryOVAL DefinitionsCVSS CalculatorBlogAbout USAbout usContactsCVE : Common Vulnerability EnumerationCAPEC : Common Pattern EnumerationCWE : Common Weakness EnumerationOVAL : Open Vulnerability and Assessment LanguageCWE 209 Information Exposure Through an Error Message Weakness ID: 209 (Weakness Base)Status: Draft Description Description SummaryThe software generates an error message that includes sensitive information about its environment, users, or associated data. Extended Description The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. If an attack fails, an attacker may use error information provided by the server to launch another more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of ".." sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query. Time of IntroductionArchitecture and Design Implementation System Configuration Operation Applicable Platforms Languages PHP: (Often) All Common ConsequencesScopeEffectConfidentialityOften this will either reveal sensitive information which may be used for a later attack or private information stored in the server. Likelihood of ExploitHigh Detection Methods Manual AnalysisThis weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.Effectiveness: High Automated AnalysisAutomated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not ty