CWE - CWE-209: Error Message Information Leaks (Draft 9)

Home > CWE List > CWE-209 Individual Dictionary Definition (Draft 9)

CWE List
Full Dictionary View
Classification Tree
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

Section Contents
CWE List
Full Dictionary View
Classification Tree
Reports
Other Items of Interest
Sources

Key
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated

CWE-209 Individual Dictionary Definition (Draft 9)

Weakness ID

Status: Draft

209 (Weakness Base)

Description

Summary

The product includes sensitive information within an error message.

Likelihood of Exploit

High

Common Consequences

Confidentiality: Often this will either reveal sensitive information which may be used for a later attack or private information stored in the server.

Potential Mitigations

Design: When an application detects illegal input, error messages should only provide generic feedback, such as "Illegal characters were detected." Messages should provide few, if any, implementation details.

Implementation: Any error should be parsed for dangerous revelations.

Build: Debugging information should not make its way into a production release.

Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Create default error pages if necessary.

Demonstrative
Examples

Java Example:

try { /.../ }
catch (Exception e) { System.out.println(e); }

Here you are passing much more data than is needed. Another example is passing the SQL exceptions to a WebUser without filtering.

Context Notes

Error messages should not provide attackers with any implementation details when the application detects an illegal action. This includes indicating exactly what is allowable, or exactly what was illegal about the user input. Such detailed information can help an attacker craft another attack that now will pass through the validation filters.

The first thing an attacker may use -- once an attack has failed -- to stage the next attack is the error information provided by the server. SQL Injection attacks generally probe the server for information in order to stage a successful attack.

Relationships

Nature	Type	ID	Name
ChildOf	Weakness Class	200	Information Leak (Information Disclosure)
ParentOf	Weakness Variant	12	ASP.NET Misconfiguration: Missing Custom Error Handling
CanAlsoBe	Weakness Variant	201	Information Leak Through Sent Data
ParentOf	Weakness Base	210	Product-Generated Error Message Information Leak
ParentOf	Weakness Base	211	Product-External Error Message Information Leak
CanFollow	Weakness Base	600	Failure to Catch All Exceptions (Missing Catch Block)
CanAlsoBe	Weakness Variant	81	Failure to Sanitize Directives in an Error Message Web Page

Source Taxonomies

CLASP - Accidental leaking of sensitive information through error messages

Applicable Platforms

All

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
54	Probing an Application Through Targeting its Error Reporting
7	Blind SQL Injection

Page Last Updated: April 22, 2008


	CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us