Information Exposure Through an Error Message
Description
The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. If an attack fails, an attacker may use error information provided by the server to launch another more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application.
Examples
Insecure Code
scala
try { ... } catch { case e: Exception => e.printStackTrace() }Secure Code
scala
try { ... } catch { case e: Exception => logger.error("Error occurred", e) }Remediation
Implement a custom error handler to avoid exposing sensitive information in error messages.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0076 |
| Category | ErrorHandling |
| Severity | LOW |
| CWE | CWE-209 |
| Confidence | HIGH |
| Impact | LOW |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | |
| OWASP | N/A |