This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Information Leakage"
From OWASP
James Landis (talk | contribs) (Posted on behalf of Rajat Bhargava) |
James Landis (talk | contribs) |
||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
− | + | [[OWASP_Periodic_Table_of_Vulnerabilities#Periodic_Table_of_Vulnerabilities|Return to Periodic Table Working View]] | |
− | |||
− | |||
== Information Leakage == | == Information Leakage == | ||
− | |||
− | |||
=== Root Cause Summary === | === Root Cause Summary === | ||
− | + | The application discloses sensitive/classified data or useful data about the application that can be used for targeted attacks, even though the developer did not intend for the data to be disclosed. | |
− | |||
− | |||
=== Browser / Standards Solution === | === Browser / Standards Solution === | ||
None | None | ||
− | |||
− | |||
=== Perimeter Solution === | === Perimeter Solution === | ||
− | + | * Alert, block, or automatically sanitize classified data in responses. | |
− | + | * Automatically scrub HTML, JavaScript, CSS, and other data formats of comment data. | |
− | |||
− | |||
− | |||
− | |||
+ | * Configure the platform to return generic error codes by default and log locally. | ||
+ | * Disable stack traces in production; show a generic error page instead. | ||
=== Generic Framework Solution === | === Generic Framework Solution === | ||
− | + | * Provide common error-handling framework and APIs which take two error messages as parameters: one to be displayed to the user and one to be written to logs. | |
− | + | * Provide configurable content expiration/caching interface; default to no-cache, no-store. | |
− | + | * Provide common methods to mask data in responses based on configurable rules for varying levels of data classification. | |
− | + | * Block classified information from being sent as URL parameters or logged as part of a GET request. | |
− | + | * Block file paths from being displayed by default. | |
=== Custom Framework Solution === | === Custom Framework Solution === | ||
− | + | None | |
=== Custom Code Solution === | === Custom Code Solution === | ||
− | + | * Don't leak information via error parity mismatches. For example, a login form should return the same error message regardless of whether the username or password is incorrect, in order to prevent account enumeration. | |
− | |||
− | |||
− | |||
+ | * Only send back data in the response to the client that is needed. | ||
=== Discussion / Controversy === | === Discussion / Controversy === | ||
− | + | None | |
=== References === | === References === | ||
− | + | [http://projects.webappsec.org/w/page/13246936/Information%20Leakage Information Leakage (WASC)]<BR> | |
+ | [http://cwe.mitre.org/data/definitions/200.html Information Exposure (CWE)] |
Latest revision as of 10:58, 22 July 2013
Return to Periodic Table Working View
Information Leakage
Root Cause Summary
The application discloses sensitive/classified data or useful data about the application that can be used for targeted attacks, even though the developer did not intend for the data to be disclosed.
Browser / Standards Solution
None
Perimeter Solution
- Alert, block, or automatically sanitize classified data in responses.
- Automatically scrub HTML, JavaScript, CSS, and other data formats of comment data.
- Configure the platform to return generic error codes by default and log locally.
- Disable stack traces in production; show a generic error page instead.
Generic Framework Solution
- Provide common error-handling framework and APIs which take two error messages as parameters: one to be displayed to the user and one to be written to logs.
- Provide configurable content expiration/caching interface; default to no-cache, no-store.
- Provide common methods to mask data in responses based on configurable rules for varying levels of data classification.
- Block classified information from being sent as URL parameters or logged as part of a GET request.
- Block file paths from being displayed by default.
Custom Framework Solution
None
Custom Code Solution
- Don't leak information via error parity mismatches. For example, a login form should return the same error message regardless of whether the username or password is incorrect, in order to prevent account enumeration.
- Only send back data in the response to the client that is needed.
Discussion / Controversy
None