ERR06-J. Do not allow exceptions to expose sensitive information

Failure to filter sensitive information when propagating exceptions often results in information leaks that can assist an attacker's efforts to expand the attack surface. An attacker may craft input arguments to expose internal structures and mechanisms of the application. Both the exception message text and the type of an exception can leak information. For example, the message of a FileNotFoundException reveals information about the file system layout and the exception type reveals the absence of the requested file.

This rule applies to server side applications as well as to clients. Adversaries can glean sensitive information not only from vulnerable web servers but also from victims who use vulnerable web browsers. In 2004, Schoenefeld discovered an exploit for the Opera v7.54 web browser, wherein an attacker could use the sun.security.krb5.Credentials class in an applet as an oracle to "retrieve the name of the currently logged in user and parse his home directory from the information which is provided by the thrown java.security.AccessControlException" [[Schoenefeld 2004]].

All exceptions reveal information that can assist an attacker's efforts to carry out a denial of service against the system. Consequently, programs must filter both exception messages and exception types that can propagate across trust boundaries. The table shown below lists several problematic exceptions:

Related Vulnerabilities

CVE-2009-2897

Other Languages

This rule appears in the C++ Secure Coding Standard as ERR12-CPP. Do not allow exceptions to transmit sensitive information.

Bibliography

[[Gong 2003]] 9.1 Security Exceptions
[[MITRE 2009]] CWE ID 209 "Error Message Information Leak", CWE ID 600 "Failure to Catch All Exceptions (Missing Catch Block)", CWE ID 497 "Information Leak of System Data"
[[SCG 2007]] Guideline 3-4 Purge sensitive information from exceptions

      06. Exceptional Behavior (ERR)      ERR07-J. Prevent exceptions while logging data