Page History

This guideline extends equally to server side applications as well as clients. Adversaries can glean sensitive information from not only vulnerable web servers but also from innocent users who use vulnerable web browsers. In 2004, Schoenefeld discovered an instance in the Opera v7.54 web browser, wherein an attacker could use the {{sun.security.krb5.Credentials}} class in an applet as an oracle to "retrieve the name of the currently logged in user and parse his home directory from the information which is provided by the thrown {{java.security.AccessControlException}}." \[[Schoenefeld 042004|AA. Java References#Schoenefeld 04]\].

\[[SCG 072007|AA. Java References#SCG 07]\] Guideline 3-4 Purge sensitive information from exceptions
\[[Gong 032003|AA. Java References#Gong 03]\] 9.1 Security Exceptions
\[[MITRE 092009|AA. Java References#MITRE 09]\] [CWE ID 209|http://cwe.mitre.org/data/definitions/209.html] "Error Message Information Leak", [CWE ID 600|http://cwe.mitre.org/data/definitions/600.html] "Failure to Catch All Exceptions (Missing Catch Block)", [CWE ID 497|http://cwe.mitre.org/data/definitions/497.html] "Information Leak of System Data"