|
|
|
|
CWE-600 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 600 (Weakness Base) | | Description | Summary A Servlet fails to catch all
exceptions, which may reveal sensitive debugging information. | Demonstrative
Examples | In the following method a DNS lookup failure will cause the Servlet to throw an
exception. protected void doPost (HttpServletRequest req, HttpServletResponse res)
throws IOException {
String ip = req.getRemoteAddr();
InetAddress addr = InetAddress.getByName(ip);
...
out.println("hello " + addr.getHostName());
} | | Context Notes | When a Servlet throws an exception, the default error response the Servlet container
sends back to the user typically includes debugging information. This information is of great
value to an attacker. For example, a stack trace might show the attacker a malformed SQL query
string, the type of database being used, and the version of the application container. This
information enables the attacker to target known vulnerabilities in these components. | | Relationships | |
|
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated
