Propagating the contents of exceptions without explicitly filtering Failure to filter sensitive information when propagating exceptions often results in information leaks and lets that can assist an attacker build 's efforts to expand the attack surface. An attacker may craft input parameters such that underlying that attempt to provoke exposure of internal structures and mechanisms of the application are inadvertently exposed. Information leaks can result from both . Both the exception message text and the type of an exception can leak information information. For example, with given an exception of type FileNotFoundException, the message reveals information regarding the file system layout while and the exception type conveys reveals the absence of the requested file.
| Wiki Markup |
|---|
This guideline extends equallyapplies to server side applications as well as to clients. Adversaries can glean sensitive information from not only from vulnerable web servers but also from innocent users who use vulnerable web browsers. In 2004, Schoenefeld discovered an instanceexploit infor the Opera v7.54 web browser, wherein an attacker could use the {{sun.security.krb5.Credentials}} class in an applet as an oracle to "retrieve the name of the currently logged in user and parse his home directory from the information which is provided by the thrown {{java.security.AccessControlException}}" \[[Schoenefeld 2004|AA. Bibliography#Schoenefeld 04]\]. |
All Errors errors reveal information by which that can assist an attacker can 's efforts to carry out a denial of service against the system. Consequently, programs must filter both exception messages and exception types that can propagate across trust boundaries. The table shown below lists a few sensitive errors and exceptions:
...
This attack is possible even when the application displays only a sanitized message when the file is not found. Failure to restrict user input can leave leaves the code system vulnerable to a brute force attack that allows in which the attacker to enumerate enumerates valid file names on a system by constantly monitoring the specific inputs that generate the sanitized message when because the corresponding file is was not found.
In this This noncompliant example , fails to sanitize the exception is not sanitized which enables , consequently enabling the attacker to also learn the user's home directory and as a result, the user name.
Noncompliant Code Example (rethrowing sensitive exception)
...
Compliant Solution (Forward to Dedicated Handler or Reporter)
The exception must be caught while taking special care to sanitize the This compliant solution catches and sanitizes the exception and its message before propagating it to the caller. In cases where the exception type itself can reveal too much information, consider throwing a different exception altogether (with a different message, or possibly a higher level exception, referred to as exception translation). The MyExceptionReporter class described in guideline EXC01-J. Use a class dedicated to reporting exceptions is a good choice, as this compliant solution exemplifies.
...