R077. Avoid disclosing technical information

Requirement

The application must not disclose internal system information such as stack traces, SQL sentence fragments, database names or table names.

Description

Applications should fail safely whenever an unexpected event occurs. Error message presentation is part of this safe management. Therefore, specific technical information should not be presented to unauthorized users, as this could be leveraged by attackers to further exploit other vulnerabilities.

References

  1. CAPEC-116: Excavation. An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes. This is achieved by exploring the target via ordinary interactions for the purpose of gathering intelligence about the target, or by sending data that is syntactically invalid or non-standard in an attempt to produce a response that contains the desired data.

  2. CAPEC-224: Fingerprinting. An adversary compares output from a target system to known indicators that uniquely identify specific details about the target.

  3. CWE-209: Generation of Error Message Containing Sensitive Information. The software generates an error message that includes sensitive information about its environment, users, or associated data.

  4. CWE-210: Self-generated Error Message Containing Sensitive Information. The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

  5. OWASP-ASVS v4.0.1 V7.4 Error Handling.(7.4.1) Verify that a generic message is shown when an unexpected or security sensitive error occurs, potentially with a unique ID which support personnel can use to investigate.

  6. OWASP-ASVS v4.0.1 V14.3 Unintended Security Disclosure Requirements.(14.3.1) Verify that web or application server and framework error messages are configured to deliver user actionable, customized responses to eliminate any unintended security disclosures.

  7. OWASP-ASVS v4.0.1 V14.3 Unintended Security Disclosure Requirements.(14.3.2) Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures.

  8. OWASP-ASVS v4.0.1 V14.3 Unintended Security Disclosure Requirements.(14.3.3) Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system components.

  9. PCI DSS v3.2.1 - Requirement 1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties.

  10. PCI DSS v3.2.1 - Requirement 6.5.5 Address common coding vulnerabilities in software-development processes such as improper error handling.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy