CWE
Home > CWE List > CWE-209 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-209 Individual Dictionary Definition (Draft 9)

Error Message Information Leaks
Weakness ID
Status: Draft

209 (Weakness Base)

Description

Summary

The product includes sensitive information within an error message.

Likelihood of Exploit

High

Common Consequences

Confidentiality: Often this will either reveal sensitive information which may be used for a later attack or private information stored in the server.

Potential Mitigations

Design: When an application detects illegal input, error messages should only provide generic feedback, such as "Illegal characters were detected." Messages should provide few, if any, implementation details.

Implementation: Any error should be parsed for dangerous revelations.

Build: Debugging information should not make its way into a production release.

Handle exceptions internally and do not display errors containing potentially sensitive information to a user. Create default error pages if necessary.

Demonstrative
Examples

Java Example:

try { /.../ }
catch (Exception e) { System.out.println(e); }

Here you are passing much more data than is needed. Another example is passing the SQL exceptions to a WebUser without filtering.

Context Notes

Error messages should not provide attackers with any implementation details when the application detects an illegal action. This includes indicating exactly what is allowable, or exactly what was illegal about the user input. Such detailed information can help an attacker craft another attack that now will pass through the validation filters.

The first thing an attacker may use -- once an attack has failed -- to stage the next attack is the error information provided by the server. SQL Injection attacks generally probe the server for information in order to stage a successful attack.

Relationships
NatureTypeIDName
ChildOfWeakness ClassWeakness ClassWeakness Class200Information Leak (Information Disclosure)
ParentOfWeakness VariantWeakness VariantWeakness Variant12ASP.NET Misconfiguration: Missing Custom Error Handling
CanAlsoBeWeakness VariantWeakness VariantWeakness Variant201Information Leak Through Sent Data
ParentOfWeakness BaseWeakness BaseWeakness Base210Product-Generated Error Message Information Leak
ParentOfWeakness BaseWeakness BaseWeakness Base211Product-External Error Message Information Leak
CanFollowWeakness BaseWeakness BaseWeakness Base600Failure to Catch All Exceptions (Missing Catch Block)
CanAlsoBeWeakness VariantWeakness VariantWeakness Variant81Failure to Sanitize Directives in an Error Message Web Page
Source Taxonomies

CLASP - Accidental leaking of sensitive information through error messages

Applicable Platforms

All

Related Attack Patterns
CAPEC-IDAttack Pattern Name
54Probing an Application Through Targeting its Error Reporting
7Blind SQL Injection
Page Last Updated: April 22, 2008