CWE-209 Detail

CWE-209

Generation of Error Message Containing Sensitive Information
High
Draft
2006-07-19
00h00 +00:00
2023-06-29
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

CWE Description

The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more serious attacks. The error message may be created in different ways:

  • self-generated: the source code explicitly constructs the error message and delivers it
  • externally-generated: the external environment, such as a language interpreter, handles the error and constructs its own message, whose contents are not under direct control by the programmer

An attacker may use the contents of error messages to help launch another, more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of ".." sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query.

General Informations

Modes Of Introduction

Architecture and Design
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
System Configuration
Operation

Applicable Platforms

Language

Name: PHP (Often)
Name: Java (Often)
Class: Not Language-Specific (Undetermined)

Common Consequences

Scope Impact Likelihood
ConfidentialityRead Application Data

Note: Often this will either reveal sensitive information which may be used for a later attack or private information stored in the server.

Observed Examples

References Description

CVE-2008-2049

POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness.

CVE-2007-5172

Program reveals password in error message if attacker can trigger certain database errors.

CVE-2008-4638

Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209).

CVE-2008-1579

Existence of user names can be determined by requesting a nonexistent blog and reading the error message.

CVE-2007-1409

Direct request to library file in web application triggers pathname leak in error message.

CVE-2008-3060

Malformed input to login page causes leak of full path when IMAP call fails.

CVE-2005-0603

Malformed regexp syntax leads to information exposure in error message.

CVE-2017-9615

verbose logging stores admin credentials in a world-readablelog file

CVE-2018-1999036

SSH password for private key stored in build log

Potential Mitigations

Phases : Implementation

Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.

If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.

Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.


Phases : Implementation
Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
Phases : Implementation
Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Phases : Implementation // Build and Compilation
Debugging information should not make its way into a production release.
Phases : Implementation // Build and Compilation
Debugging information should not make its way into a production release.
Phases : System Configuration
Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
Phases : System Configuration
Create default error pages or messages that do not leak any information.

Detection Methods

Manual Analysis

This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.
Effectiveness : High

Automated Analysis

Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.
Effectiveness : Moderate

Automated Dynamic Analysis

This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.


Effectiveness : Moderate

Manual Dynamic Analysis

Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

CAPEC-ID Attack Pattern Name
CAPEC-215 Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.
CAPEC-463 Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-54 Query System for Information
An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.
CAPEC-7 Blind SQL Injection
Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.

References

REF-174

Information Leakage
Web Application Security Consortium.
http://projects.webappsec.org/w/page/13246936/Information%20Leakage

REF-175

Secure Programming with Static Analysis
Brian Chess, Jacob West.

REF-176

Writing Secure Code
Michael Howard, David LeBlanc.

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-179

Top 25 Series - Rank 16 - Information Exposure Through an Error Message
Johannes Ullrich.
http://software-security.sans.org/blog/2010/03/17/top-25-series-rank-16-information-exposure-through-an-error-message

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-18

The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf

Submission

Name Organization Date Date release Version
CLASP 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Name Organization Date Comment
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
Veracode 2008-08-15 +00:00 Suggested OWASP Top Ten 2004 mapping
CWE Content Team MITRE 2008-09-08 +00:00 updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2008-10-14 +00:00 updated Relationships
CWE Content Team MITRE 2009-01-12 +00:00 updated Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
CWE Content Team MITRE 2009-03-10 +00:00 updated Demonstrative_Examples, Potential_Mitigations, Relationships
CWE Content Team MITRE 2009-12-28 +00:00 updated Demonstrative_Examples, Name, Potential_Mitigations, References, Time_of_Introduction
CWE Content Team MITRE 2010-02-16 +00:00 updated Detection_Factors, References, Relationships
CWE Content Team MITRE 2010-04-05 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2010-06-21 +00:00 updated Common_Consequences, Detection_Factors, Potential_Mitigations, References
Veracode 2010-09-09 +00:00 Suggested OWASP Top Ten mapping
CWE Content Team MITRE 2010-09-27 +00:00 updated Potential_Mitigations, Relationships
CWE Content Team MITRE 2011-03-29 +00:00 updated Demonstrative_Examples, Observed_Examples, Relationships
CWE Content Team MITRE 2011-06-01 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-27 +00:00 updated Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-05-11 +00:00 updated References, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2013-07-17 +00:00 updated References
CWE Content Team MITRE 2014-06-23 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2018-03-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2019-01-03 +00:00 updated Taxonomy_Mappings
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2019-09-19 +00:00 updated Demonstrative_Examples, Observed_Examples
CWE Content Team MITRE 2020-02-24 +00:00 updated Applicable_Platforms, Description, Name, Observed_Examples, References, Relationships, Weakness_Ordinalities
CWE Content Team MITRE 2020-12-10 +00:00 updated Potential_Mitigations, Related_Attack_Patterns
CWE Content Team MITRE 2021-07-20 +00:00 updated Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes