Information Leak Through Sent Data
Weakness ID: 201 (Weakness Variant)Status: Draft
+ Description

Description Summary

The accidental leaking of sensitive information through sent data refers to the transmission of data which are either sensitive in and of itself or useful in the further exploitation of the system through standard data channels.
+ Time of Introduction
  • Implementation
+ Applicable Platforms



+ Common Consequences

Data leakage results in the compromise of data confidentiality.

+ Demonstrative Examples

Example 1

The following is an actual mysql error statement:

Example Language: SQL 
Warning: mysql_pconnect(): Access denied for user: 'root@localhost' (Using password: N1nj4) in /usr/local/www/wi-data/includes/ on line 4
+ Potential Mitigations

Requirements specification: Specify data output such that no sensitive data is sent.

Phase: Implementation

Ensure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent.

Compartmentalize your system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

Setup default error message to handle unexpected errors.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class200Information Exposure
Development Concepts (primary)699
Research Concepts (primary)1000
CanAlsoBeWeakness VariantWeakness Variant202Privacy Leak through Data Queries
Research Concepts1000
CanAlsoBeWeakness BaseWeakness Base209Information Exposure Through an Error Message
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPAccidental leaking of sensitive information through sent data
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
12Choosing a Message/Channel Identifier on a Public/Multicast Channel
+ Content History
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings
2009-10-29CWE Content TeamMITREInternal
updated Other Notes, Potential Mitigations