Kingdom: Encapsulation
Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not.
System Information Leak: Internal
Abstract
Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack.
Explanation
An internal information leak occurs when system data or debug information is sent to a local file, console, or screen via printing or logging.
Example: The following code prints the SAPFTP version information on the screen:
Depending upon the configuration of the selection screen, this information can be dumped to a screen or sent directly to a printer. In some cases the version information tells the attacker precisely what sort of an attack the system will be vulnerable to. In the same manner, error messages can tell the attacker what attack the system is vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.
Example: The following code prints the SAPFTP version information on the screen:
...
CALL FUNCTION 'FTP_VERSION'
...
IMPORTING
EXEPATH = p
VERSION = v
WORKING_DIR = dir
RFCPATH = rfcp
RFCVERSION = rfcv
TABLES
FTP_TRACE = FTP_TRACE.
WRITE: 'exepath: ', p, 'version: ', v, 'working_dir: ', dir, 'rfcpath: ', rfcp, 'rfcversion: ', rfcv.
...
Depending upon the configuration of the selection screen, this information can be dumped to a screen or sent directly to a printer. In some cases the version information tells the attacker precisely what sort of an attack the system will be vulnerable to. In the same manner, error messages can tell the attacker what attack the system is vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[9] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.abap.system_information_leak_internal
Abstract
Revealing system data or debugging information could enable an adversary to use system information to plan an attack.
Explanation
An internal information leak occurs when system data or debug information is sent to a local file, console, or screen via printing or logging.
Example 1: The following code prints a stack trace to either a "Debug" console or a log file:
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases the error message tells the attacker precisely what sort of an attack the system is vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1: The following code prints a stack trace to either a "Debug" console or a log file:
try {
...
}
catch(e:Error) {
trace(e.getStackTrace());
}
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases the error message tells the attacker precisely what sort of an attack the system is vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1
, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[9] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.semantic.actionscript.system_information_leak_internal
Abstract
Revealing system data or debugging information could enable an adversary to use system information to plan an attack.
Explanation
An internal information leak occurs when system data or debug information is sent to a local file, console, or screen via printing or logging.
Example 1: The following code writes an exception message to the debug log:
The error message could enable an adversary to plan an attack. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.
Example 1: The following code writes an exception message to the debug log:
try {
...
} catch (Exception e) {
System.Debug(LoggingLevel.ERROR, e.getMessage());
}
The error message could enable an adversary to plan an attack. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.
References
[1] Ernst Haselsteiner and Klemens Breitfuss Security in Near Field Communication (NFC): Strengths and Weaknesses
[2] ERR01-J. Do not allow exceptions to expose sensitive information CERT
[3] ENV02-J. Do not trust the values of environment variables CERT
[4] FUNDAMENTALS-4: Establish trust boundaries Oracle
[5] CONFIDENTIAL-1: Purge sensitive information from exceptions Oracle
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[14] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[17] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[19] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.apex.system_information_leak_internal
Abstract
Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack.
Explanation
An internal information leak occurs when system data or debug information is sent to a local file, console, or screen via printing or logging.
Example 1: The following code constructs a database connection string, uses it to create a new connection to the database, and writes it to the console.
Depending on the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1: The following code constructs a database connection string, uses it to create a new connection to the database, and writes it to the console.
string cs="database=northwind;server=mySQLServer...";
SqlConnection conn=new SqlConnection(cs);
...
Console.Writeline(cs);
Depending on the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1
, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[9] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.dotnet.system_information_leak_internal
Abstract
Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack.
Explanation
An internal information leak occurs when system data or debugging information is sent via logging or printing to a local file, console, or screen.
Example 1: The following code prints the path environment variable to the standard error stream:
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases the error message tells the attacker precisely what sort of an attack the system will be vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1: The following code prints the path environment variable to the standard error stream:
char* path = getenv("PATH");
...
fprintf(stderr, "cannot find exe on path %s\n", path);
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases the error message tells the attacker precisely what sort of an attack the system will be vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1
, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[9] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.cpp.system_information_leak_internal
Abstract
Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack.
Explanation
An internal information leak occurs when system data or debugging information is sent via logging or printing to a local file, console, or screen.
Example: The following code requests a transaction dump of all the task-related storage areas, the terminal control table, and a specified data area:
Depending on the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases the error message tells the attacker precisely what sort of an attack the system is vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.
Example: The following code requests a transaction dump of all the task-related storage areas, the terminal control table, and a specified data area:
...
EXEC CICS DUMP TRANSACTION
DUMPCODE('name')
FROM (data-area)
LENGTH (data-value)
END-EXEC.
...
Depending on the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases the error message tells the attacker precisely what sort of an attack the system is vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[9] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.cobol.system_information_leak_internal
Abstract
Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack.
Explanation
An internal information leak occurs when system data or debugging information is sent to a local file, console, or screen via printing or logging.
Example: The following code writes to a file on the local file system:
This information is written to a log file. In some cases the message tells the attacker precisely what sort of an attack the system is vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.
Example: The following code writes to a file on the local file system:
<cfscript>
try {
obj = CreateObject("person");
}
catch(any excpt) {
f = FileOpen("c:\log.txt", "write");
FileWriteLine(f, "#excpt.Message#");
FileClose(f);
}
</cfscript>
This information is written to a log file. In some cases the message tells the attacker precisely what sort of an attack the system is vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[9] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.cfml.system_information_leak_internal
Abstract
Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack.
Explanation
An internal information leak occurs when system data or debug information is sent to a local file, console, or screen via printing or logging.
Example 1: The following code writes an exception to a local file:
Depending on the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Information leaks are also a concern in a mobile computing environment.
Example 1: The following code writes an exception to a local file:
final file = await File('example.txt').create();
final raf = await file.open(mode: FileMode.write);
final data = String.fromEnvironment("PASSWORD");
raf.writeString(data);
Depending on the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1
, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.Information leaks are also a concern in a mobile computing environment.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[9] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.dart.system_information_leak_internal
Abstract
Revealing system data or debugging information could enable an adversary to use system information to plan an attack.
Explanation
An internal information leak occurs when system data or debugging information is sent via logging or printing to a local file, console, or screen.
Example 1: The following code prints the path environment variable to the standard error stream:
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message tells the attacker to which precise type of attack the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1: The following code prints the path environment variable to the standard error stream:
path := os.Getenv("PATH")
...
log.Printf("Cannot find exe on path %s\n", path)
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message tells the attacker to which precise type of attack the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1
, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[9] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.golang.system_information_leak_internal
Abstract
Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack.
Explanation
An external information leak occurs when system data or debug information leaves the program to a remote machine via a socket or network connection. External leaks can help an attacker by revealing specific data about operating systems, full pathnames, the existence of usernames, or locations of configuration files, and are more serious than internal information leaks, which are more difficult for an attacker to access.
Example 1: The following code leaks Exception information in the HTTP response:
This information can be exposed to a remote user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Information leaks are also a concern in a mobile computing environment. With mobile platforms, applications are downloaded from various sources and are run alongside each other on the same device. The likelihood of running a piece of malware next to a banking application is high, which is why application authors need to be careful about what information they include in messages addressed to other applications running on the device.
Example 2: The following code broadcasts the stack trace of a caught exception to all the registered Android receivers.
This is another scenario specific to the mobile environment. Most mobile devices now implement a Near-Field Communication (NFC) protocol for quickly sharing information between devices using radio communication. It works by bringing devices in close proximity or having the devices touch each other. Even though the communication range of NFC is limited to just a few centimeters, eavesdropping, data modification and various other types of attacks are possible, because NFC alone does not ensure secure communication.
Example 3: The Android platform provides support for NFC. The following code creates a message that gets pushed to the other device within range.
An NFC Data Exchange Format (NDEF) message contains typed data, a URI, or a custom application payload. If the message contains information about the application, such as its name, MIME type, or device software version, this information could be leaked to an eavesdropper.
Example 1: The following code leaks Exception information in the HTTP response:
protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {
...
PrintWriter out = res.getWriter();
try {
...
} catch (Exception e) {
out.println(e.getMessage());
}
}
This information can be exposed to a remote user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1
, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.Information leaks are also a concern in a mobile computing environment. With mobile platforms, applications are downloaded from various sources and are run alongside each other on the same device. The likelihood of running a piece of malware next to a banking application is high, which is why application authors need to be careful about what information they include in messages addressed to other applications running on the device.
Example 2: The following code broadcasts the stack trace of a caught exception to all the registered Android receivers.
...
try {
...
} catch (Exception e) {
String exception = Log.getStackTraceString(e);
Intent i = new Intent();
i.setAction("SEND_EXCEPTION");
i.putExtra("exception", exception);
view.getContext().sendBroadcast(i);
}
...
This is another scenario specific to the mobile environment. Most mobile devices now implement a Near-Field Communication (NFC) protocol for quickly sharing information between devices using radio communication. It works by bringing devices in close proximity or having the devices touch each other. Even though the communication range of NFC is limited to just a few centimeters, eavesdropping, data modification and various other types of attacks are possible, because NFC alone does not ensure secure communication.
Example 3: The Android platform provides support for NFC. The following code creates a message that gets pushed to the other device within range.
...
public static final String TAG = "NfcActivity";
private static final String DATA_SPLITTER = "__:DATA:__";
private static final String MIME_TYPE = "application/my.applications.mimetype";
...
TelephonyManager tm = (TelephonyManager)Context.getSystemService(Context.TELEPHONY_SERVICE);
String VERSION = tm.getDeviceSoftwareVersion();
...
NfcAdapter nfcAdapter = NfcAdapter.getDefaultAdapter(this);
if (nfcAdapter == null)
return;
String text = TAG + DATA_SPLITTER + VERSION;
NdefRecord record = new NdefRecord(NdefRecord.TNF_MIME_MEDIA,
MIME_TYPE.getBytes(), new byte[0], text.getBytes());
NdefRecord[] records = { record };
NdefMessage msg = new NdefMessage(records);
nfcAdapter.setNdefPushMessage(msg, this);
...
An NFC Data Exchange Format (NDEF) message contains typed data, a URI, or a custom application payload. If the message contains information about the application, such as its name, MIME type, or device software version, this information could be leaked to an eavesdropper.
References
[1] Ernst Haselsteiner and Klemens Breitfuss Security in Near Field Communication (NFC): Strengths and Weaknesses
[2] ERR01-J. Do not allow exceptions to expose sensitive information CERT
[3] ENV02-J. Do not trust the values of environment variables CERT
[4] FUNDAMENTALS-4: Establish trust boundaries Oracle
[5] CONFIDENTIAL-1: Purge sensitive information from exceptions Oracle
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[14] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[17] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[19] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.java.system_information_leak_external
Abstract
Revealing system data or debugging information could enable an adversary to use system information to plan an attack.
Explanation
An internal information leak occurs when system data or debug information is sent to a local file, console, or screen via printing or logging.
Example 1: The following code writes an exception to the standard error stream:
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1: The following code writes an exception to the standard error stream:
var http = require('http');
...
http.request(options, function(res){
...
}).on('error', function(e){
console.log('There was a problem with the request: ' + e);
});
...
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1
, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[9] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.javascript.system_information_leak_internal
Abstract
Revealing system data or debugging information could enable an adversary to use system information to plan an attack.
Explanation
An internal information leak occurs when system data or debug information is sent to a local file, console, or screen via printing or logging.
Example 1: The following code writes an exception to the standard error stream:
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Information leaks are also a concern in a mobile computing environment.
Example 2: The following code logs the stack trace of a caught exception on the Android platform.
Example 1: The following code writes an exception to the standard error stream:
try {
...
} catch (e: Exception) {
e.printStackTrace()
}
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1
, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.Information leaks are also a concern in a mobile computing environment.
Example 2: The following code logs the stack trace of a caught exception on the Android platform.
...
try {
...
} catch (e: Exception) {
Log.e(TAG, Log.getStackTraceString(e))
}
...
References
[1] Ernst Haselsteiner and Klemens Breitfuss Security in Near Field Communication (NFC): Strengths and Weaknesses
[2] ERR01-J. Do not allow exceptions to expose sensitive information CERT
[3] ENV02-J. Do not trust the values of environment variables CERT
[4] FUNDAMENTALS-4: Establish trust boundaries Oracle
[5] CONFIDENTIAL-1: Purge sensitive information from exceptions Oracle
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[14] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[17] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[19] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.kotlin.system_information_leak_internal
Abstract
Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack.
Explanation
An internal information leak occurs when system data or debugging information is sent via logging or printing to a local file, console, or screen.
Example 1: The following code leaks system information to the system log:
In the mobile world, other areas of concern for maintaining system information arise when a device has been lost or stolen. Once in possession of an iOS device, an attacker may access a great deal of data by connecting the device by USB. Files such as iOS Property Lists (plists) and SQLite databases are easily accessed and can disclose personal information. As a general rule, privacy related information should not be stored unprotected on the file system.
Example 2: The following code adds a
The code in
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases the error message tells the attacker precisely what sort of an attack the system will be vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.
Example 1: The following code leaks system information to the system log:
...
NSString* deviceID = [[UIDevice currentDevice] name];
NSLog(@"DeviceID: %@", deviceID);
...
In the mobile world, other areas of concern for maintaining system information arise when a device has been lost or stolen. Once in possession of an iOS device, an attacker may access a great deal of data by connecting the device by USB. Files such as iOS Property Lists (plists) and SQLite databases are easily accessed and can disclose personal information. As a general rule, privacy related information should not be stored unprotected on the file system.
Example 2: The following code adds a
deviceID
entry to the list of user defaults, and stores them immediately to a plist file.
...
NSString* deviceID = [[UIDevice currentDevice] name];
[defaults setObject:deviceID forKey:@"deviceID"];
[defaults synchronize];
...
The code in
Example 2
stores system information from the mobile device in an unprotected plist file stored on the device. Although many developers trust plist files as a safe storage location for any and all data, it should not be trusted implicitly particularly when system information and privacy are a concern, since plist files could be read by anyone in possession of the device.Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases the error message tells the attacker precisely what sort of an attack the system will be vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[9] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.objc.system_information_leak_internal
Abstract
Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack.
Explanation
An internal information leak occurs when system data or debug information is sent to a local file, console, or screen via printing or logging.
Example 1: The following code writes an exception to the standard error stream:
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1: The following code writes an exception to the standard error stream:
<?php
...
echo "Server error! Printing the backtrace";
debug_print_backtrace();
...
?>
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1
, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[9] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.php.system_information_leak_internal
Abstract
Revealing system data or debugging information could enable an adversary to use system information to plan an attack.
Explanation
An internal information leak occurs when system data or debug information is sent to a local file, console, or screen via printing or logging.
Example 1: The following code writes an exception to the standard output stream:
This information is dumped to a console. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1: The following code writes an exception to the standard output stream:
try:
...
except:
print(sys.exc_info()[2])
This information is dumped to a console. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1
, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[9] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.python.system_information_leak_internal
Abstract
Revealing system data or debugging information could enable an adversary to use system information to plan an attack.
Explanation
An internal information leak occurs when system data or debug information is sent to a local file, console, or screen via printing or logging.
Example 1: The following code writes an exception to the standard error stream:
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1: The following code writes an exception to the standard error stream:
...
begin
log = Logger.new(STDERR)
...
rescue Exception
log.info("Exception: " + $!)
...
end
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1
, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program. Of course, another problem with Example 1
is rescuing the root Exception
instead of a specific type or error/exception, meaning it will catch all exceptions, potentially causing other unconsidered side effects.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[9] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.ruby.system_information_leak_internal
Abstract
Revealing system data or debugging information could enable an adversary to use system information to plan an attack.
Explanation
An internal information leak occurs when system data or debug information is sent to a local file, console, or screen via printing or logging.
Example 1: The following code prints System information to the standard output stream:
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1: The following code prints System information to the standard output stream:
...
println(Properties.osName)
...
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases, the error message provides the attacker with the precise type of attack to which the system is vulnerable. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In
Example 1
, the leaked information could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.References
[1] Ernst Haselsteiner and Klemens Breitfuss Security in Near Field Communication (NFC): Strengths and Weaknesses
[2] ERR01-J. Do not allow exceptions to expose sensitive information CERT
[3] ENV02-J. Do not trust the values of environment variables CERT
[4] FUNDAMENTALS-4: Establish trust boundaries Oracle
[5] CONFIDENTIAL-1: Purge sensitive information from exceptions Oracle
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[14] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[17] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[19] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.scala.system_information_leak_internal
Abstract
Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack.
Explanation
An internal information leak occurs when system data or debugging information is sent via logging or printing to a local file, console, or screen.
In the mobile world, other areas of concern for maintaining system information arise when a device has been lost or stolen. Once in possession of an iOS device, an attacker may access a great deal of data by connecting the device by USB. Files such as iOS Property Lists (plists) and SQLite databases are easily accessed and can disclose personal information. As a general rule, privacy related information should not be stored unprotected on the file system.
Example: The following code prints the device identifier to the system logs:
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases the error message tells the attacker precisely what sort of an attack the system will be vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.
In the mobile world, other areas of concern for maintaining system information arise when a device has been lost or stolen. Once in possession of an iOS device, an attacker may access a great deal of data by connecting the device by USB. Files such as iOS Property Lists (plists) and SQLite databases are easily accessed and can disclose personal information. As a general rule, privacy related information should not be stored unprotected on the file system.
Example: The following code prints the device identifier to the system logs:
let deviceName = UIDevice.currentDevice().name
...
NSLog("Device Identifier: %@", deviceName)
Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a user. In some cases the error message tells the attacker precisely what sort of an attack the system will be vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[9] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.swift.system_information_leak_internal
Abstract
Revealing system data or debugging information could enable an adversary to use system information to plan an attack.
Explanation
An internal information leak occurs when system data or debug information is sent to a local file, console, or screen via printing or logging.
Example: The following code sends an
In some cases the error message tells the attacker precisely what sort of an attack the system is vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system, such as information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
Example: The following code sends an
ASPError
object to a script debugger, such as the Microsoft Script Debugger:
...
Debug.Write Server.GetLastError()
...
In some cases the error message tells the attacker precisely what sort of an attack the system is vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system, such as information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[9] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[12] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.semantic.vb.system_information_leak_internal