Avoid disclosing technical information
Summary
The application must not disclose internal system information such as stack traces, SQL sentence fragments, database names or table names.
Description
Applications should fail safely whenever an unexpected event occurs. Error message presentation is part of this safe management. Therefore, specific technical information should not be presented to unauthorized users, as this could be leveraged by attackers to further exploit other vulnerabilities.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CAPEC™-116. Excavation
- CAPEC™-224. Fingerprinting
- CWE™-209. Generation of error message containing sensitive information
- CWE™-210. Self-generated error message containing sensitive information
- Agile Alliance-9. Continuous attention to technical excellence and good design
- PA-DSS-5_2_5. Improper error handling
- CMMC-AT_L2-3_2_1. Role-based risk awareness
- CMMC-SC_L2-3_13_8. Data in transit
- HITRUST CSF-07_b. Ownership of assets
- HITRUST CSF-09_m. Network controls
- HITRUST CSF-09_ab. Monitoring system use
- ISO/IEC 27002-8_8. Management of technical vulnerabilities
- ISO/IEC 27002-8_26. Application security requirements
- WASSEC-6_2_5_2. Information disclosure - Information leakage
- ISSAF-T_6_6. Web application assessment - Identifying web server vendor and version (by error)
- ISSAF-T_16_1. Web application assessment - Input validation (validate data)
- ISSAF-T_16_3. Web application assessment - Input Validation (PHP insertion)
- PTES-4_2_1_5. Business asset analysis - Organizational data (technical information)
- PTES-5_2_3_1. Vulnerability analysis - Web application scanners (application flaw scanners)
- OWASP SCP-3. Authentication and password management
- OWASP SCP-7. Error handling and logging
- BSAFSS-EE_1-3. Error and exception handling capabilities
- OWASP ASVS-13_4_1. GraphQL
- OWASP ASVS-14_3_3. Unintended security disclosure
- PCI DSS-1_4_5. Do not disclosure of internal IP addresses and routing information
- ISO/IEC 27001-8_8. Management of technical vulnerabilities
- ISO/IEC 27001-8_26. Application security requirements
Vulnerabilities
- 037. Technical information leak
- 058. Debugging enabled in production - APK
- 066. Technical information leak - Console functions
- 183. Debugging enabled in production
- 232. Technical information leak - Angular
- 234. Technical information leak - Stacktrace
- 235. Technical information leak - Headers
- 236. Technical information leak - SourceMap
- 237. Technical information leak - Print Functions
- 238. Technical information leak - API
- 239. Technical information leak - Errors
- 289. Technical information leak - Logs
- 290. Technical information leak - IPs
- 342. Technical information leak - Alert
- 349. Technical information leak - Credentials
- 362. Technical information leak - Content response
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.