CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.10)  
ID

CWE-206: Information Exposure of Internal State Through Behavioral Inconsistency

Weakness ID: 206
Abstraction: Variant
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

Two separate operations in a product cause the product to behave differently in a way that is observable to an attacker and reveals security-relevant information about the internal state of the product, such as whether a particular operation was successful or not.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Confidentiality
Access Control

Technical Impact: Read application data; Bypass protection mechanism

+ Observed Examples
ReferenceDescription
File existence via infoleak monitoring whether "onerror" handler fires or not.
Valid groupname enumeration via behavioral infoleak (sends response if valid, doesn't respond if not).
Behavioral infoleak in GUI allows attackers to distinguish between alphanumeric and non-alphanumeric characters in a password, thus reducing the search space.
Product immediately sends an error message when user does not exist instead of waiting until the password is provided, allowing username enumeration.
+ Potential Mitigations

Setup generic response pages for error condition. The error page should not disclose information about the success or failure of a sensitive operation. For instance, the login page should not confirm that the login is correct and the password incorrect. The attacker who tries random account name may be able to guess some of them. Confirming that the account exists would make the login page more susceptible to brute force attack.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base205Information Exposure Through Behavioral Discrepancy
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory967SFP Secondary Cluster: State Disclosure
Software Fault Pattern (SFP) Clusters (primary)888
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInternal behavioral inconsistency infoleak
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2011-03-29CWE Content TeamMITREInternal
updated Name
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2011-03-29Internal Behavioral Inconsistency Information Leak

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017