CWE-209: Generation of Error Message Containing Sensitive Information

Causes

• In the following example, sensitive information might be printed depending on the exception that occurs. If an exception related to SQL is handled by the catch, then the output might contain sensitive information such as SQL query structure or private information. If this output is redirected to a web user, this may represent a security problem.
• This code tries to open a database connection, and prints any exceptions that occur. If an exception occurs, the printed message exposes the location of the configuration file the script is using. An attacker can use this information to target the configuration file (perhaps exploiting a Path Traversal weakness). If the file can be read, the attacker could gain credentials for accessing the database. The attacker may also be able to replace the file with a malicious one, causing the application to use an arbitrary database.
• The following code generates an error message that leaks the full pathname of the configuration file. If this code is running on a server, such as a web application, then the person making the request should not know what the full pathname of the configuration directory is. By submitting a username that does not produce a $file that exists, an attacker could get this pathname. It could then be used to exploit path traversal or symbolic link following problems that may exist elsewhere in the application.
• In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file. The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database.

Remediation

• Implementation: [object Object]
• Implementation: Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
• Implementation: Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
• Implementation,Build and Compilation: Debugging information should not make its way into a production release.
• System Configuration: Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
• System Configuration: Create default error pages or messages that do not leak any information.

Detection

• Manual Analysis: This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.
• Automated Analysis: Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.
• Automated Dynamic Analysis: [object Object]
• Manual Dynamic Analysis: Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.
• Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Related CWEs

• CWE-1295: Debug Messages Revealing Unnecessary Information
• CWE-201: Insertion of Sensitive Information Into Sent Data
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• CWE-755: Improper Handling of Exceptional Conditions
• CWE-210: Self-generated Error Message Containing Sensitive Information
• CWE-211: Externally-Generated Error Message Containing Sensitive Information
• CWE-550: Server-generated Error Message Containing Sensitive Information
• CWE-600: Uncaught Exception in Servlet
• CWE-756: Missing Custom Error Page
• CWE-81: Improper Neutralization of Script in an Error Message Web Page

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.