CWE-206: Information Exposure of Internal State Through Behavioral Inconsistency
Information Exposure of Internal State Through Behavioral Inconsistency
Weakness ID: 206 (Weakness Variant)
Two separate operations in a product cause the product to behave differently in a way that is observable to an attacker and reveals security-relevant information about the internal state of the product, such as whether a particular operation was successful or not.
Product immediately sends an error message when
user does not exist instead of waiting until the password is provided,
allowing username enumeration.
Setup generic response pages for error condition. The error page
should not disclose information about the success or failure of a
sensitive operation. For instance, the login page should not confirm
that the login is correct and the password incorrect. The attacker who
tries random account name may be able to guess some of them. Confirming
that the account exists would make the login page more susceptible to
brute force attack.