This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Periodic Table of Vulnerabilities - Information Leakage

From OWASP
Revision as of 10:58, 22 July 2013 by James Landis (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Return to Periodic Table Working View

Information Leakage

Root Cause Summary

The application discloses sensitive/classified data or useful data about the application that can be used for targeted attacks, even though the developer did not intend for the data to be disclosed.

Browser / Standards Solution

None

Perimeter Solution

  • Alert, block, or automatically sanitize classified data in responses.
  • Automatically scrub HTML, JavaScript, CSS, and other data formats of comment data.
  • Configure the platform to return generic error codes by default and log locally.
  • Disable stack traces in production; show a generic error page instead.

Generic Framework Solution

  • Provide common error-handling framework and APIs which take two error messages as parameters: one to be displayed to the user and one to be written to logs.
  • Provide configurable content expiration/caching interface; default to no-cache, no-store.
  • Provide common methods to mask data in responses based on configurable rules for varying levels of data classification.
  • Block classified information from being sent as URL parameters or logged as part of a GET request.
  • Block file paths from being displayed by default.

Custom Framework Solution

None

Custom Code Solution

  • Don't leak information via error parity mismatches. For example, a login form should return the same error message regardless of whether the username or password is incorrect, in order to prevent account enumeration.
  • Only send back data in the response to the client that is needed.

Discussion / Controversy

None

References

Information Leakage (WASC)
Information Exposure (CWE)