Analysis and Exploration of Vulnerabilities

Errors

Messages provided to clients can disclose unnecessary information.

  • Errors from the infrastructure and support services.

    • An attacker may force the system into an error condition by providing invalid input.

  • Response discrepancy during the interaction (CWE-204).

Provides information about internal processes, existing data, and software versions.

  • Stack traces, and error messages.

May allow to enumerate data (e.g. usernames).

  • If there is a response discrepancy between existing/non-existing users.

Mitigations

Do not provide verbose output to users, log it.

  • If you must, create the errors, identify sensitive data, and filter it out.

  • Alternatively, present a unique error code that can be used to track the issue by the support teams.

Focus on the process as a whole.

  • Authentication is either successful or unsuccessful.

  • A file can either be accessed or not.

PreviousInformation leakageNextWeb Sources and Support Files

Last updated