Reino: Encapsulation

Encapsulamento consiste em traçar limites fortes. Em um navegador web, isso pode significar que seu código para dispositivos móveis não pode ser abusado por outros códigos para dispositivos móveis. No servidor, pode significar a diferenciação entre dados validados e não validados, entre os dados de dois usuários ou entre os dados que os usuários podem ou não acessar.

System Information Leak: Internal

Abstract
Revelar dados do sistema ou informações de depuração ajuda um adversário a adquirir mais informações sobre o sistema e formular um plano de ataque.
Explanation
Um vazamento interno de informação ocorre quando dados do sistema ou informações de depuração são enviados para um arquivo, console ou tela local via impressão ou registro em log.
Exemplo 1: O código a seguir imprime as informações de versão do SAPFTP na tela:


...
CALL FUNCTION 'FTP_VERSION'
  ...
  IMPORTING
    EXEPATH     = p
    VERSION     = v
    WORKING_DIR = dir
    RFCPATH     = rfcp
    RFCVERSION  = rfcv
  TABLES
    FTP_TRACE =                 FTP_TRACE.

WRITE: 'exepath: ', p, 'version: ', v, 'working_dir: ', dir, 'rfcpath: ', rfcp, 'rfcversion: ', rfcv.
...


Dependendo da configuração da tela de seleção, essas informações podem ser despejadas em uma tela ou enviadas diretamente para uma impressora. Em alguns casos, as informações de versão dizem ao invasor precisamente a que tipo de ataque o sistema é vulnerável. Da mesma forma, mensagens de erro também podem dizer ao invasor a que tipo de ataque o sistema é vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de SQL Injection. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.abap.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração pode permitir que um adversário use as informações do sistema para planejar um ataque.
Explanation
Um vazamento interno de informação ocorre quando dados do sistema ou informações de depuração são enviados para um arquivo, console ou tela local via impressão ou registro em log.

Exemplo 1: O código a seguir imprime um rastreamento de pilha em um console de "Depuração" ou em um arquivo de log:


  try {
    ...
  }
  catch(e:Error) {
    trace(e.getStackTrace());
  }


Dependendo da configuração do sistema, essas informações podem ser despejadas em um console, gravadas em um arquivo de log ou expostas para um usuário. Em alguns casos, a mensagem de erro diz ao invasor precisamente a que tipo de ataque o sistema é vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque SQL injection. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema. No Example 1, o caminho de pesquisa pode implicar informações sobre o tipo de sistema operacional, os aplicativos instalados no sistema e a quantidade de cuidado que os administradores dedicaram à configuração do programa.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.semantic.actionscript.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração pode permitir que um adversário use as informações do sistema para planejar um ataque.
Explanation
Um vazamento interno de informação ocorre quando dados do sistema ou informações de depuração são enviados para um arquivo, console ou tela local via impressão ou registro em log.

Exemplo 1: O seguinte código grava uma mensagem de exceção no log de depuração:


try {
    ...
} catch (Exception e) {
    System.Debug(LoggingLevel.ERROR, e.getMessage());
}


A mensagem de erro pode permitir que um adversário planeje um ataque. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de SQL Injection. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema.
References
[1] Ernst Haselsteiner and Klemens Breitfuss Security in Near Field Communication (NFC): Strengths and Weaknesses
[2] ERR01-J. Do not allow exceptions to expose sensitive information CERT
[3] ENV02-J. Do not trust the values of environment variables CERT
[4] FUNDAMENTALS-4: Establish trust boundaries Oracle
[5] CONFIDENTIAL-1: Purge sensitive information from exceptions Oracle
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[15] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[20] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.apex.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração ajuda um adversário a adquirir mais informações sobre o sistema e formular um plano de ataque.
Explanation
Um vazamento interno de informação ocorre quando dados do sistema ou informações de depuração são enviados para um arquivo, console ou tela local via impressão ou registro em log.
Exemplo 1: O código a seguir constrói uma cadeia de conexão de banco de dados, utiliza-a para criar uma nova conexão com o banco de dados e a grava no console.


string cs="database=northwind;server=mySQLServer...";
SqlConnection conn=new SqlConnection(cs);
...
Console.Writeline(cs);


Dependendo da configuração do sistema, essas informações podem ser despejadas em um console, gravadas em um arquivo de log ou expostas para um usuário. Em alguns casos, a mensagem de erro fornece ao invasor o tipo exato de ataque ao qual o sistema está vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de injeção de SQL. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema. No Example 1, as informações vazadas podem implicar informações sobre o tipo de sistema operacional, os aplicativos instalados no sistema e a quantidade de cuidado que os administradores dedicaram à configuração do programa.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.dotnet.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração ajuda um adversário a adquirir mais informações sobre o sistema e formular um plano de ataque.
Explanation
Um vazamento interno de informações ocorre quando os dados do sistema ou as informações de depuração são enviados por meio de registro em log ou da impressão em um arquivo local, um console ou na tela.
Exemplo 1: O código a seguir imprime a variável de ambiente de caminho no fluxo de erros padrão:


  char* path = getenv("PATH");
  ...
  fprintf(stderr, "cannot find exe on path %s\n", path);


Dependendo da configuração do sistema, essas informações podem ser despejadas em um console, gravadas em um arquivo de log ou expostas para um usuário. Em alguns casos, a mensagem de erro diz ao invasor precisamente a que tipo de ataque o sistema é vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque SQL injection. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema. No Example 1, o caminho de pesquisa pode implicar informações sobre o tipo de sistema operacional, os aplicativos instalados no sistema e a quantidade de cuidado que os administradores dedicaram à configuração do programa.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.cpp.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração ajuda um adversário a adquirir mais informações sobre o sistema e formular um plano de ataque.
Explanation
Um vazamento interno de informações ocorre quando os dados do sistema ou as informações de depuração são enviados por meio de registro em log ou da impressão em um arquivo local, um console ou na tela.
Exemplo 1: O código a seguir solicita um despejo de transação de todas as áreas de armazenamento relacionadas à tarefa, a tabela de controle do terminal e uma área de dados especificada:


...
EXEC CICS DUMP TRANSACTION
  DUMPCODE('name')
  FROM (data-area)
  LENGTH (data-value)
END-EXEC.
...


Dependendo da configuração do sistema, essas informações podem ser despejadas em um console, gravadas em um arquivo de log ou expostas para um usuário. Em alguns casos, a mensagem de erro diz ao invasor precisamente a que tipo de ataque o sistema é vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de SQL Injection. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.cobol.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração ajuda um adversário a adquirir mais informações sobre o sistema e formular um plano de ataque.
Explanation
Um vazamento interno de informação ocorre quando dados do sistema ou informações de depuração são enviados para um arquivo, console ou tela local via impressão ou registro em log.

Exemplo 1: O código a seguir grava um arquivo no sistema de arquivos local:


<cfscript>
    try { 
        obj = CreateObject("person"); 
    } 
    catch(any excpt) { 
        f = FileOpen("c:\log.txt", "write"); 
        FileWriteLine(f, "#excpt.Message#");
        FileClose(f);
    }
</cfscript>


Essas informações são gravadas em um arquivo de log. Em alguns casos, a mensagem diz ao invasor precisamente a que tipo de ataque o sistema é vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de SQL Injection. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.cfml.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração ajuda um adversário a adquirir mais informações sobre o sistema e formular um plano de ataque.
Explanation
Um vazamento interno de informação ocorre quando dados do sistema ou informações de depuração são enviados para um arquivo, console ou tela local via impressão ou registro em log.

Exemplo 1: O código a seguir grava uma exceção em um arquivo local:


  final file = await File('example.txt').create();
  final raf = await file.open(mode: FileMode.write);
  final data = String.fromEnvironment("PASSWORD");
  raf.writeString(data);


Dependendo da configuração do sistema, essas informações podem ser despejadas em um console, gravadas em um arquivo de log ou expostas para um usuário. Em alguns casos, a mensagem de erro fornece ao invasor o tipo exato de ataque ao qual o sistema está vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de SQL Injection. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema. No Example 1, as informações vazadas podem implicar informações sobre o tipo de sistema operacional, os aplicativos instalados no sistema e a quantidade de cuidado que os administradores dedicaram à configuração do programa.

O vazamento de informações também é uma preocupação em um ambiente de computação móvel.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.dart.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração pode permitir que um adversário use as informações do sistema para planejar um ataque.
Explanation
Um vazamento interno de informações ocorre quando os dados do sistema ou as informações de depuração são enviados por meio de registro em log ou da impressão em um arquivo local, um console ou na tela.
Exemplo 1: O código a seguir imprime a variável de ambiente de caminho no fluxo de erros padrão:


  path := os.Getenv("PATH")
  ...
  log.Printf("Cannot find exe on path %s\n", path)


Dependendo da configuração do sistema, essas informações podem ser despejadas em um console, gravadas em um arquivo de log ou expostas para um usuário. Em alguns casos, a mensagem de erro informa ao invasor precisamente a qual tipo de ataque o sistema está vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de SQL injection. Outras mensagens de erro podem revelar indicações mais indiretas sobre o sistema. No Example 1, o caminho de pesquisa pode implicar informações sobre o tipo de sistema operacional, os aplicativos instalados no sistema e o nível de cuidado que os administradores dedicaram à configuração do programa.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.golang.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração ajuda um adversário a adquirir mais informações sobre o sistema e formular um plano de ataque.
Explanation
Um vazamento externo de informações ocorre quando dados do sistema ou informações de depuração deixam o programa em direção a uma máquina remota através de uma conexão de rede ou soquete. Os vazamentos externos podem ajudar um invasor ao revelar dados específicos sobre os sistemas operacionais, os nomes de caminho completos, a existência de nomes de usuários ou os locais dos arquivos de configuração, e são mais sérios do que vazamentos de informações internas, que são mais difíceis de acessar para os invasores.

Exemplo 1: O código a seguir deixa vazar informações de Exceção na resposta HTTP:


protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {
    ...
    PrintWriter out = res.getWriter();
    try {
        ...
    } catch (Exception e) {
      out.println(e.getMessage());
    }
}


Essas informações podem ser expostas a um usuário remoto. Em alguns casos, a mensagem de erro fornece ao invasor o tipo exato de ataque ao qual o sistema está vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de injeção de SQL. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema. No Example 1, as informações vazadas podem implicar informações sobre o tipo de sistema operacional, os aplicativos instalados no sistema e a quantidade de cuidado que os administradores dedicaram à configuração do programa.

O vazamento de informações também é uma preocupação em um ambiente de computação móvel. Com plataformas móveis, os aplicativos são baixados de várias fontes e são executados lado a lado no mesmo dispositivo. A probabilidade de execução de um malware junto com um aplicativo de banco é alta e é por isso que os autores de aplicativos precisam ser cuidadosos a respeito de quais informações eles incluem em mensagens endereçadas a outros aplicativos em execução no dispositivo.

Exemplo 2: O código a seguir transmite o rastreamento de pilha de uma exceção detectada para todos os receptores Android registrados.

...
try {
  ...
} catch (Exception e) {
    String exception = Log.getStackTraceString(e);
    Intent i = new Intent();
    i.setAction("SEND_EXCEPTION");
    i.putExtra("exception", exception);
    view.getContext().sendBroadcast(i);
}
...


Este é outro cenário específico ao ambiente móvel. A maioria dos dispositivos móveis agora implementa um protocolo NFC (Near-Field Communication) para o rápido compartilhamento de informações entre dispositivos que utilizam a comunicação por rádio. Ele funciona aproximando os dispositivos ou fazendo com que eles se toquem. Mesmo que o alcance de comunicação do NFC esteja limitado a apenas alguns centímetros, espionagens, modificação de dados e vários outros tipos de ataques são possíveis, já que o NFC, por si só, não garante a comunicação segura.

Exemplo 3: A plataforma Android fornece suporte para NFC. O código a seguir cria uma mensagem que é enviada ao outro dispositivo dentro do intervalo.

...
public static final String TAG = "NfcActivity";
private static final String DATA_SPLITTER = "__:DATA:__";
private static final String MIME_TYPE = "application/my.applications.mimetype";
...
TelephonyManager tm = (TelephonyManager)Context.getSystemService(Context.TELEPHONY_SERVICE);
String VERSION = tm.getDeviceSoftwareVersion();
...
NfcAdapter nfcAdapter = NfcAdapter.getDefaultAdapter(this);
if (nfcAdapter == null)
  return;

String text = TAG + DATA_SPLITTER + VERSION;
NdefRecord record = new NdefRecord(NdefRecord.TNF_MIME_MEDIA,
            MIME_TYPE.getBytes(), new byte[0], text.getBytes());
NdefRecord[] records = { record };
NdefMessage msg = new NdefMessage(records);
nfcAdapter.setNdefPushMessage(msg, this);
...


Uma mensagem NDEF (NFC Data Exchange Format) contém dados com tipos definidos, um URI ou uma carga de aplicativo personalizada. Se a mensagem contiver informações sobre o aplicativo, como seu nome, tipo MIME ou versão de software do dispositivo, essas informações poderão vazar para um intruso.
References
[1] Ernst Haselsteiner and Klemens Breitfuss Security in Near Field Communication (NFC): Strengths and Weaknesses
[2] ERR01-J. Do not allow exceptions to expose sensitive information CERT
[3] ENV02-J. Do not trust the values of environment variables CERT
[4] FUNDAMENTALS-4: Establish trust boundaries Oracle
[5] CONFIDENTIAL-1: Purge sensitive information from exceptions Oracle
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[15] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[20] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.java.system_information_leak_external
Abstract
Revelar dados do sistema ou informações de depuração pode permitir que um adversário use as informações do sistema para planejar um ataque.
Explanation
Um vazamento interno de informação ocorre quando dados do sistema ou informações de depuração são enviados para um arquivo, console ou tela local via impressão ou registro em log.

Exemplo 1: O código a seguir grava uma exceção no fluxo de erro padrão:


var http = require('http');
...

http.request(options, function(res){
  ...
}).on('error', function(e){
  console.log('There was a problem with the request: ' + e);
});
...


Dependendo da configuração do sistema, essas informações podem ser despejadas em um console, gravadas em um arquivo de log ou expostas para um usuário. Em alguns casos, a mensagem de erro fornece ao invasor o tipo exato de ataque ao qual o sistema está vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de injeção de SQL. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema. No Example 1, as informações vazadas podem implicar informações sobre o tipo de sistema operacional, os aplicativos instalados no sistema e a quantidade de cuidado que os administradores dedicaram à configuração do programa.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.javascript.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração pode permitir que um adversário use as informações do sistema para planejar um ataque.
Explanation
Um vazamento interno de informação ocorre quando dados do sistema ou informações de depuração são enviados para um arquivo, console ou tela local via impressão ou registro em log.

Exemplo 1: O código a seguir grava uma exceção no fluxo de erro padrão:


try {
    ...
} catch (e: Exception) {
    e.printStackTrace()
}


Dependendo da configuração do sistema, essas informações podem ser despejadas em um console, gravadas em um arquivo de log ou expostas para um usuário. Em alguns casos, a mensagem de erro fornece ao invasor o tipo exato de ataque ao qual o sistema está vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de injeção de SQL. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema. No Example 1, as informações vazadas podem implicar informações sobre o tipo de sistema operacional, os aplicativos instalados no sistema e a quantidade de cuidado que os administradores dedicaram à configuração do programa.

O vazamento de informações também é uma preocupação em um ambiente de computação móvel.

Exemplo 2: O código a seguir registra o rastreamento de pilha de uma exceção detectada na plataforma Android.

...
try {
  ...
} catch (e: Exception) {
    Log.e(TAG, Log.getStackTraceString(e))
}
...
References
[1] Ernst Haselsteiner and Klemens Breitfuss Security in Near Field Communication (NFC): Strengths and Weaknesses
[2] ERR01-J. Do not allow exceptions to expose sensitive information CERT
[3] ENV02-J. Do not trust the values of environment variables CERT
[4] FUNDAMENTALS-4: Establish trust boundaries Oracle
[5] CONFIDENTIAL-1: Purge sensitive information from exceptions Oracle
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[15] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[20] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.kotlin.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração ajuda um adversário a adquirir mais informações sobre o sistema e formular um plano de ataque.
Explanation
Um vazamento interno de informações ocorre quando os dados do sistema ou as informações de depuração são enviados por meio de registro em log ou da impressão em um arquivo local, um console ou na tela.
Exemplo 1: O código a seguir deixa vazar informações do sistema no log do sistema:


...
NSString* deviceID = [[UIDevice currentDevice] name];

NSLog(@"DeviceID: %@", deviceID);
...


No mundo móvel, outras áreas de interesse para a manutenção de informações do sistema surgem quando um dispositivo é perdido ou roubado. Uma vez em poder de um dispositivo iOS, um invasor pode acessar uma grande quantidade de dados conectando o dispositivo via USB. Arquivos como listas de propriedade iOS (iOS Property Lists, plists) e bancos de dados SQLite são facilmente acessados e podem revelar informações pessoais. Como regra geral, as informações relacionadas a privacidade não devem ser armazenadas sem proteção no sistema de arquivos.

Exemplo 2: Este código adiciona uma entrada deviceID à lista de padrões do usuário e os armazena imediatamente em um arquivo plist.


...
NSString* deviceID = [[UIDevice currentDevice] name];

[defaults setObject:deviceID forKey:@"deviceID"];
[defaults synchronize];
...


O código no Example 2 armazena informações do sistema contidas no dispositivo móvel em um arquivo plist desprotegido que é armazenado nesse dispositivo. Embora muitos desenvolvedores confiem em arquivos plist como um local de armazenamento seguro para todos os tipos de dados, convém não confiar neles implicitamente, particularmente nos casos em que as informações do sistema e a privacidade são uma grande preocupação, pois esses arquivos podem ser lidos por qualquer usuário que venha a se apossar do dispositivo.

Dependendo da configuração do sistema, essas informações podem ser despejadas em um console, gravadas em um arquivo de log ou expostas para um usuário. Em alguns casos, a mensagem de erro diz ao invasor precisamente a que tipo de ataque o sistema é vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de SQL Injection. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.objc.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração ajuda um adversário a adquirir mais informações sobre o sistema e formular um plano de ataque.
Explanation
Um vazamento interno de informação ocorre quando dados do sistema ou informações de depuração são enviados para um arquivo, console ou tela local via impressão ou registro em log.

Exemplo 1: O código a seguir grava uma exceção no fluxo de erro padrão:


<?php
    ...
    echo "Server error! Printing the backtrace";
    debug_print_backtrace();
    ...
?>


Dependendo da configuração do sistema, essas informações podem ser despejadas em um console, gravadas em um arquivo de log ou expostas para um usuário. Em alguns casos, a mensagem de erro fornece ao invasor o tipo exato de ataque ao qual o sistema está vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de injeção de SQL. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema. No Example 1, as informações vazadas podem implicar informações sobre o tipo de sistema operacional, os aplicativos instalados no sistema e a quantidade de cuidado que os administradores dedicaram à configuração do programa.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.php.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração pode permitir que um adversário use as informações do sistema para planejar um ataque.
Explanation
Um vazamento interno de informação ocorre quando dados do sistema ou informações de depuração são enviados para um arquivo, console ou tela local via impressão ou registro em log.

Exemplo 1: Este código grava uma exceção no fluxo de saída padrão:


    try:
        ...
    except:
        print(sys.exc_info()[2])


Essas informações são despejadas em um console. Em alguns casos, a mensagem de erro fornece ao invasor o tipo exato de ataque ao qual o sistema está vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de injeção de SQL. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema. No Example 1, as informações vazadas podem implicar informações sobre o tipo de sistema operacional, os aplicativos instalados no sistema e a quantidade de cuidado que os administradores dedicaram à configuração do programa.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.python.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração pode permitir que um adversário use as informações do sistema para planejar um ataque.
Explanation
Um vazamento interno de informação ocorre quando dados do sistema ou informações de depuração são enviados para um arquivo, console ou tela local via impressão ou registro em log.

Exemplo 1: O código a seguir grava uma exceção no fluxo de erro padrão:


...
begin
  log = Logger.new(STDERR)
  ...
rescue Exception
    log.info("Exception: " + $!)
...
end


Dependendo da configuração do sistema, essas informações podem ser despejadas em um console, gravadas em um arquivo de log ou expostas para um usuário. Em alguns casos, a mensagem de erro fornece ao invasor o tipo exato de ataque ao qual o sistema está vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de injeção de SQL. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema. No Example 1, as informações vazadas podem implicar informações sobre o tipo de sistema operacional, os aplicativos instalados no sistema e a quantidade de cuidado que os administradores dedicaram à configuração do programa. Naturalmente, outro problema com o Example 1 é resgatar a raiz Exception em vez de um tipo específico ou erro/exceção, significando que isso capturará todas as exceções, podendo causar outros efeitos colaterais desconsiderados.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.ruby.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração pode permitir que um adversário use as informações do sistema para planejar um ataque.
Explanation
Um vazamento interno de informação ocorre quando dados do sistema ou informações de depuração são enviados para um arquivo, console ou tela local via impressão ou registro em log.

Exemplo 1: O código a seguir imprime as informações do Sistema no fluxo de saída padrão:


...
println(Properties.osName)
...


Dependendo da configuração do sistema, essas informações podem ser despejadas em um console, gravadas em um arquivo de log ou expostas para um usuário. Em alguns casos, a mensagem de erro fornece ao invasor o tipo exato de ataque ao qual o sistema está vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de injeção de SQL. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema. No Example 1, as informações vazadas podem implicar informações sobre o tipo de sistema operacional, os aplicativos instalados no sistema e a quantidade de cuidado que os administradores dedicaram à configuração do programa.
References
[1] Ernst Haselsteiner and Klemens Breitfuss Security in Near Field Communication (NFC): Strengths and Weaknesses
[2] ERR01-J. Do not allow exceptions to expose sensitive information CERT
[3] ENV02-J. Do not trust the values of environment variables CERT
[4] FUNDAMENTALS-4: Establish trust boundaries Oracle
[5] CONFIDENTIAL-1: Purge sensitive information from exceptions Oracle
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[15] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[20] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.scala.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração ajuda um adversário a adquirir mais informações sobre o sistema e formular um plano de ataque.
Explanation
Um vazamento interno de informações ocorre quando os dados do sistema ou as informações de depuração são enviados por meio de registro em log ou da impressão em um arquivo local, um console ou na tela.



No mundo móvel, outras áreas de interesse para a manutenção de informações do sistema surgem quando um dispositivo é perdido ou roubado. Uma vez em poder de um dispositivo iOS, um invasor pode acessar uma grande quantidade de dados conectando o dispositivo via USB. Arquivos como listas de propriedade iOS (iOS Property Lists, plists) e bancos de dados SQLite são facilmente acessados e podem revelar informações pessoais. Como regra geral, as informações relacionadas a privacidade não devem ser armazenadas sem proteção no sistema de arquivos.

Exemplo 1: O código a seguir imprime o identificador do dispositivo nos logs do sistema:


let deviceName = UIDevice.currentDevice().name
...
NSLog("Device Identifier: %@", deviceName)


Dependendo da configuração do sistema, essas informações podem ser despejadas em um console, gravadas em um arquivo de log ou expostas para um usuário. Em alguns casos, a mensagem de erro diz ao invasor precisamente a que tipo de ataque o sistema é vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de SQL Injection. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.swift.system_information_leak_internal
Abstract
Revelar dados do sistema ou informações de depuração pode permitir que um adversário use as informações do sistema para planejar um ataque.
Explanation
Um vazamento interno de informação ocorre quando dados do sistema ou informações de depuração são enviados para um arquivo, console ou tela local via impressão ou registro em log.

Exemplo 1: O código a seguir envia um objeto ASPError a um depurador de scripts, como o Microsoft Script Debugger:


...
Debug.Write Server.GetLastError()
...


Em alguns casos, a mensagem de erro diz ao invasor precisamente a que tipo de ataque o sistema é vulnerável. Por exemplo, uma mensagem de erro de banco de dados pode revelar que o aplicativo é vulnerável a um ataque de SQL Injection. Outras mensagens de erro podem revelar pistas mais indiretas sobre o sistema, como informações sobre o tipo de sistema operacional, os aplicativos instalados no sistema e o quão cuidadosos os administradores foram na configuração do programa.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 497
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AC-23 Data Mining Protection (P0), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AC-23 Data Mining Protection, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[13] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.semantic.vb.system_information_leak_internal