OWASP Periodic Table of Vulnerabilities - Information Leakage
Root Cause Summary
Various components in the application, the state of the application and the request/response data can intentionally or unintentionally disclosure information not intended to be disclosed. This information can be in the form of sensitive data or useful information about the application that can be used for targeted attacks.
Browser / Standards Solution
· Alert, block, or sanitize classified data in responses.
· Configure platform to return generic error codes by default and log locally.
· Disable stack trace to be displayed back, show generic error page instead.
Generic Framework Solution
· Provide common error-handling framework and APIs which take two error messages as parameters: one to be displayed to the user and one to be written to logs.
· Provide configurable content expiration/caching interface; default to no-cache, no-store.
· Provide common methods to mask general classified data in responses, example SSN, CC etc.
· Block classified information to be sent as parameters over GET request.
· Block file paths from being displayed by default.
Custom Framework Solution
· Provide common methods to mask data considered sensitive by the application, example email address.
Custom Code Solution
· Don't leak information via error parity mismatches.
· Only send back data in the response to the client that is needed.
Discussion / Controversy
CWE-200: Information Exposure http://cwe.mitre.org/data/definitions/200.html