This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Information Leakage"

From OWASP
Jump to: navigation, search
(Posted on behalf of Rajat Bhargava)
(No difference)

Revision as of 10:37, 22 July 2013

Return to Periodic Table Working View


Information Leakage

Root Cause Summary

Various components in the application, the state of the application and the request/response data can intentionally or unintentionally disclosure information not intended to be disclosed. This information can be in the form of sensitive data or useful information about the application that can be used for targeted attacks.


Browser / Standards Solution

None


Perimeter Solution

· Alert, block, or sanitize classified data in responses.

· Automatically scrub HTML, JavaScript, CSS, and other data formats of comment data.

· Configure platform to return generic error codes by default and log locally.

· Disable stack trace to be displayed back, show generic error page instead.


Generic Framework Solution

· Provide common error-handling framework and APIs which take two error messages as parameters: one to be displayed to the user and one to be written to logs.

· Provide configurable content expiration/caching interface; default to no-cache, no-store.

· Provide common methods to mask general classified data in responses, example SSN, CC etc.

· Block classified information to be sent as parameters over GET request.

· Block file paths from being displayed by default.

Custom Framework Solution

· Provide common methods to mask data considered sensitive by the application, example email address.

Custom Code Solution

· Don't leak information via error parity mismatches.

· Only send back data in the response to the client that is needed.


Discussion / Controversy

References

CWE-200: Information Exposure http://cwe.mitre.org/data/definitions/200.html