CWE-209
Generation of Error Message Containing Sensitive Information
HIGH
Draft
2006-07-19 00:00 +00:00
2023-06-29 00:00 +00:00
Alerte pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Generation of Error Message Containing Sensitive Information
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Extended Description
The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more serious attacks. The error message may be created in different ways:
- self-generated: the source code explicitly constructs the error message and delivers it
- externally-generated: the external environment, such as a language interpreter, handles the error and constructs its own message, whose contents are not under direct control by the programmer
An attacker may use the contents of error messages to help launch another, more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of ".." sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query.
Informations
Modes Of Introduction
Architecture and DesignImplementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
System Configuration
Operation
Applicable Platforms
Language
Name: PHP (Often)Name: Java (Often)
Class: Not Language-Specific (Undetermined)
Common Consequences
| Scope | Impact | Likelihood |
|---|---|---|
| Confidentiality | Read Application Data Note: Often this will either reveal sensitive information which may be used for a later attack or private information stored in the server. |
Observed Examples
| Reference | Description |
|---|---|
| POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness. | |
| Program reveals password in error message if attacker can trigger certain database errors. | |
| Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209). | |
| Existence of user names can be determined by requesting a nonexistent blog and reading the error message. | |
| Direct request to library file in web application triggers pathname leak in error message. | |
| Malformed input to login page causes leak of full path when IMAP call fails. | |
| Malformed regexp syntax leads to information exposure in error message. | |
| verbose logging stores admin credentials in a world-readablelog file | |
| SSH password for private key stored in build log |
Potential Mitigations
Phases : ImplementationEnsure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
Phases : Implementation
Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
Phases : Implementation
Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Phases : Implementation // Build and Compilation
Debugging information should not make its way into a production release.
Phases : Implementation // Build and Compilation
Debugging information should not make its way into a production release.
Phases : System Configuration
Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
Phases : System Configuration
Create default error pages or messages that do not leak any information.
Detection Methods
Manual Analysis
This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.Effectiveness : High
Automated Analysis
Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.Effectiveness : Moderate
Automated Dynamic Analysis
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.
Effectiveness : Moderate
Manual Dynamic Analysis
Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Vulnerability Mapping Notes
Rationale : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Comments : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Related Attack Patterns
| CAPEC-ID | Attack Pattern Name |
|---|---|
| CAPEC-215 | Fuzzing for application mapping An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. |
| CAPEC-463 | Padding Oracle Crypto Attack An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key. |
| CAPEC-54 | Query System for Information An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide. |
| CAPEC-7 | Blind SQL Injection Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection. |
References
REF-174
Information LeakageWeb Application Security Consortium.
http://projects.webappsec.org/w/page/13246936/Information%20Leakage
REF-175
Secure Programming with Static AnalysisBrian Chess, Jacob West.
REF-176
Writing Secure CodeMichael Howard, David LeBlanc.
REF-44
24 Deadly Sins of Software SecurityMichael Howard, David LeBlanc, John Viega.
REF-44
24 Deadly Sins of Software SecurityMichael Howard, David LeBlanc, John Viega.
REF-179
Top 25 Series - Rank 16 - Information Exposure Through an Error MessageJohannes Ullrich.
http://software-security.sans.org/blog/2010/03/17/top-25-series-rank-16-information-exposure-through-an-error-message
REF-62
The Art of Software Security AssessmentMark Dowd, John McDonald, Justin Schuh.
REF-18
The CLASP Application Security ProcessSecure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf
Submission
| Name | Organization | Date | Date Release | Version |
|---|---|---|---|---|
| CLASP | Draft 3 |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| Veracode | Suggested OWASP Top Ten 2004 mapping | ||
| CWE Content Team | MITRE | updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Potential_Mitigations, Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Name, Potential_Mitigations, References, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Detection_Factors, References, Relationships | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Common_Consequences, Detection_Factors, Potential_Mitigations, References | |
| Veracode | Suggested OWASP Top Ten mapping | ||
| CWE Content Team | MITRE | updated Potential_Mitigations, Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Observed_Examples, Relationships | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated References, Related_Attack_Patterns, Relationships | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Observed_Examples | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Description, Name, Observed_Examples, References, Relationships, Weakness_Ordinalities | |
| CWE Content Team | MITRE | updated Potential_Mitigations, Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Detection_Factors, References, Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes |
2024©
tesweb SA
