Info Disclosure Through Error Messages

From Guidance Share

Jump to: navigation, search

Contents

Description

Error messages need to be parsed before being passed on to the user. Error messages be useful to a valid user but useless to an attacker. Information disclosure can occur in one of two ways:

  • Explicitly revealing system information (such as exceptions) in an error message
  • Slight changes in error messages can accidentally reveal internal system information - such as when different errors are provided for a invalid-username/invalid-password pair vs. valid-username/invalid-password pair.

Applies To

  • Languages: Any; it is especially prevalent, however, when dealing with SQL or languages which throw exceptions.
  • Operating platforms: Any

Example

The following code provides full exception detail in an error message:

try {
/.../
} catch (Exception e) {
System.out.println(e);
}

System exception information is hardly ever useful to a user and provides an attacker with information that can be used to improve their attacks.

Impact

  • Confidentiality: Often this will either reveal sensitive information which may be used for a later attack or private information stored in the server.

Vulnerabilities

  • Exposing system information in an error message that could be useful to an attacker.

Countermeasures

  • Implementation: Any error should be parsed for dangerous revelations. Provide error information that is useful to a valid user but useless to an attacker. Be careful not to reveal internal system information through slight modification of error messages that can be used to divine internal state.
  • Build: Debugging information should not make its way into a production release.

Vulnerability Patterns

How Tos

Personal tools