When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

Example 1: In the following method a DNS lookup failure will cause the Servlet to throw an exception.

protected void doPost (HttpServletRequest req,
                    HttpServletResponse res)
              throws IOException {
    String ip = req.getRemoteAddr();
    InetAddress addr = InetAddress.getByName(ip);
    ...
    out.println("hello " + addr.getHostName());
}

Example 2: The following method will throw a NullPointerException if the parameter "name" is not part of the request.

protected void doPost (HttpServletRequest req,
                    HttpServletResponse res)
              throws IOException {
    String name = getParameter("name");
    ...
    out.println("hello " + name.trim());
}

An external information leak occurs when system data or debug information leaves the program to a remote machine via a socket or network connection. External leaks can help an attacker by revealing specific data about operating systems, full pathnames, the existence of usernames, or locations of configuration files, and are more serious than internal information leaks, which are more difficult for an attacker to access.

Example 1: The following code leaks Exception information in the HTTP response:

protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {
    ...
    PrintWriter out = res.getWriter();
    try {
        ...
    } catch (Exception e) {
      out.println(e.getMessage());
    }
}

This information can be exposed to a remote user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In Example 1, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.

Information leaks are also a concern in a mobile computing environment. With mobile platforms, applications are downloaded from various sources and are run alongside each other on the same device. The likelihood of running a piece of malware next to a banking application is high, which is why application authors need to be careful about what information they include in messages addressed to other applications running on the device.

Example 2: The following code broadcasts the stack trace of a caught exception to all the registered Android receivers.

...
try {
  ...
} catch (Exception e) {
    String exception = Log.getStackTraceString(e);
    Intent i = new Intent();
    i.setAction("SEND_EXCEPTION");
    i.putExtra("exception", exception);
    view.getContext().sendBroadcast(i);
}
...

This is another scenario specific to the mobile environment. Most mobile devices now implement a Near-Field Communication (NFC) protocol for quickly sharing information between devices using radio communication. It works by bringing devices in close proximity or having the devices touch each other. Even though the communication range of NFC is limited to just a few centimeters, eavesdropping, data modification and various other types of attacks are possible, because NFC alone does not ensure secure communication.

Example 3: The Android platform provides support for NFC. The following code creates a message that gets pushed to the other device within range.

...
public static final String TAG = "NfcActivity";
private static final String DATA_SPLITTER = "__:DATA:__";
private static final String MIME_TYPE = "application/my.applications.mimetype";
...
TelephonyManager tm = (TelephonyManager)Context.getSystemService(Context.TELEPHONY_SERVICE);
String VERSION = tm.getDeviceSoftwareVersion();
...
NfcAdapter nfcAdapter = NfcAdapter.getDefaultAdapter(this);
if (nfcAdapter == null)
  return;

String text = TAG + DATA_SPLITTER + VERSION;
NdefRecord record = new NdefRecord(NdefRecord.TNF_MIME_MEDIA,
            MIME_TYPE.getBytes(), new byte[0], text.getBytes());
NdefRecord[] records = { record };
NdefMessage msg = new NdefMessage(records);
nfcAdapter.setNdefPushMessage(msg, this);
...

An NFC Data Exchange Format (NDEF) message contains typed data, a URI, or a custom application payload. If the message contains information about the application, such as its name, MIME type, or device software version, this information could be leaked to an eavesdropper.

Internal IP can be leaked due to:
1. Developer comments in application code
2. Unrestricted access to configuration files
3. Details revealed in verbose error messages
4. Server misconfiguration or failure to patch vulnerable servers causing an IP to be revealed in HTTP headers
Leaked IP addresses can allow an adversary to discover internal servers and gain access to restricted resources.

An internal information leak occurs when system data or debugging information is sent via logging or printing to a local file, console, or screen.

Example 1: The following XML contains system information about a device stored in a plist file. Among other values that are stored, the UDID key stores a Unique Device Identifier.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>systemName</key>
  <string>John's iPhone</string>
  <key>systemInfo</key>
  <dict>
          <key>UDID</key>
          <string>2b6f0cc904d137be2e1730235f5664094b831186</string>
          <key>systemVersion</key>
          <string>4.2</string>
          <key>model</key>
          <string>iPhone</string>
          <key>localizedModel</key>
          <string>iPhone</string>
  </dict>
</dict>
</plist>

The code in Example 1 stores private user information from the mobile device in an unprotected plist file stored on the device. Although many developers trust plist files as a safe storage location for any and all data, it should not be trusted implicitly particularly when system information and privacy are a concern, since plist files could be read by anyone in possession of the device.

LDAP error messages can reveal details about the users and network hosts. The foremost defense that applications can use against malicious attacks is minimizing the application knowledge revealed to the attacker. Most prominent vulnerabilities occur as a result of unintended application behavior triggered by unexpected user input.

Attackers exploit this fact to force applications into disclosing details about their functionality. Error messages act as a primary source of this knowledge. Details revealed via LDAP error messages could allow an attacker to effectively craft LDAP injection payloads.

Hardcoding LDAP queries into the application code or revealing them via error messages can expose sensitive information like variable names or path information. It will also disclose valuable information about the structure of an LDAP query. An attacker can use this information to manipulate the LDAP statement or filter and retrieve user records or execute arbitrary LDAP commands.

Avoid logging SQL queries in production systems. SQL queries often contain sensitive information, such as credit card details or social security numbers, and logging this information in plain text can compromise its confidentiality.

Example 1: The following entries from log4j.properties file causes all queries to be logged at the info level.

...
log4j.logger.net.sf.hibernate.type=info
log4j.logger.net.sf.hibernate.tool.hbm2ddl=info
...