A system information leak occurs when either the application or the application server discloses information about the web application platform that might be useful to the attacker. Some examples of information that might benefit the attacker are: the file system path of the application, the name and version of the operating system, the name and version of the web server software, and the name and version of the web application platform and its configuration options.
The danger of system information leaks is that they make other attacks easier to carry out. In general, the application should volunteer as little information as possible about the platform on which it is running.
This vulnerability type affects all applications.
System information leaks can be used by attackers to exploit other vulnerabilities, if other vulnerabilities are present. By itself, a system information leak doesn't give an attacker any additional abilities. System information leaks have to be combined with other vulnerabilities to result in a compromise. For example, the operating system used by the application server might be outdated and vulnerable, but the attacker won't know that until the application tells them that the server is outdated. At that point, the attacker can use an exploit targeting the server operating system to compromise the application.
To prevent system information leaks, be sure to handle all errors, use simple error messages, and disable platform banners.
- Handle Exceptions
- Use Global Exception Handlers
- Display Simple Error Messages
- Reduce Application Fingerprints
To check for adequate protection against system information leaks, verify that all errors are handled, simple error messages are used, and platform banners are disabled.