Technical information leak - Stacktrace
Description
Errors or exceptional events are not properly handled by the application allowing an attacker to disclose technical information from system error traces:
Impact
Exhibit technical information of the system.
Recommendation
Remove functions that print technical information such as PrintStacktrace from the source code
Handle errors with typified exceptions and store them in duly protected logs
Threat
Internal attacker with access to the server console.
Expected Remediation Time
⌚ 15 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: N
- Attack complexity: L
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: L
- Integrity: N
- Availability: N
Temporal
- Exploit code madurity: P
- Remediation level: U
- Report confidence: R
Result
- Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:R
- Score:
- Base: 4.3
- Temporal: 3.9
- Severity:
- Base: Medium
- Temporal: Low
Code Examples
Compliant code
The application correctly handles exceptions without using print functions that leak technical information
public class Test {
public static void main(String[ ] args) {
try {
//Code to handle data that could result in an exception
} catch (IndexException e) {
if (e.toString() == "Error"){
return Exception("Error message")
}
}
}
}
Non compliant code
The application uses stacktrace functions that could potentially print sensitive information
public class Test {
public static void main(String[ ] args) {
try {
//Code to handle data that could result in an exception
} catch (IndexException e) {
if (e.toString() == "Error"){
System.out.println("Error");
}
e.printStackTrace();
}
}
}
Requirements
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.