Information exposure through an error message occurs when an error message discloses sensitive information that may help an attacker. Typical examples include disclosing whether a username is valid during failed authentication and disclosing SQL queries that cause database errors. The latter example is particularly dangerous because it greatly simplifies SQL injection attacks. The danger of error message information disclosure is that it makes other attacks easier and, in some cases, it is required for an attack to succeed. In general, error messages should not disclose sensitive information to the end user. All applications are affected by this vulnerability type, but especially ones that use authentication and SQL databases.
Information exposure through an error message provides information to the attacker that enables him to carry out additional attacks. The two most common and dangerous scenarios are disclosing whether a username is valid during failed authentication, and disclosing SQL queries after database errors. Knowing the username greatly simplifies password guessing attacks. Disclosing SQL queries during errors helps the attacker determine whether a SQL injection vulnerability is present and what exactly the syntax of the vulnerability is. Displaying invalid SQL queries to the attacker also makes extracting data from the database via SQL injection a lot easier, because SQL injection can be formed in such a way that sensitive data is displayed as a part of an invaild query. This scenario is commonly used to extract password hashes from the database for administrative accounts.
To prevent error message information disclosure, handle all errors, use simple error messages, and log detailed error information.
Handle all errors:
Use simple error messages:
Log detailed error information:
To check for adequate protection against error message information disclosure, verify that all errors are handled, that simple error messages are used, and detailed error information is logged.
All errors are handled:
Simple error messages are used:
Detailed error information is logged:
Computer Based Training Links
Use the following Computer Based Training courses to learn more about Information Exposure Through an Error Message including techniques for remediation and prevention.
Creating Secure Code – JRE Foundations
In this course, you will learn to recognize and remediate common Java Web software security vulnerabilities. This course has three modules, which introduce you to these vulnerabilities and help you to identify and remediate them.
Creating Secure J2EE Code
This course introduces and explains the precautionary measures you can use to avoid Web software security vulnerabilities, such as data leakage attacks, client/server protocol manipulation, injection attacks, and exploiting authentication. At the end of this course, you will have learned about time-tested defensive coding principles and how to use them to increase the security of your application, and prevent common security vulnerabilities.
Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact firstname.lastname@example.org for help.