Information Exposure Through Discrepancy |
Weakness ID: 203 (Weakness Class) | Status: Incomplete |
Description Summary
The product behaves differently or sends different responses in a way that exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Compartmentalize your system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. |
Setup generic response for error condition. The error page should not disclose information about the success or failure of a sensitive operation. For instance, the login page should not confirm that the login is correct and the password incorrect. The attacker who tries random account name may be able to guess some of them. Confirming that the account exists would make the login page more susceptible to brute force attack. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 200 | Information Exposure | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Category | 717 | OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling | Weaknesses in OWASP Top Ten (2007) (primary)629 |
ChildOf | Category | 728 | OWASP Top Ten 2004 Category A7 - Improper Error Handling | Weaknesses in OWASP Top Ten (2004) (primary)711 |
ParentOf | Weakness Base | 204 | Response Discrepancy Information Leak | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Base | 205 | Information Exposure Through Behavioral Discrepancy | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Base | 208 | Timing Discrepancy Information Leak | Development Concepts (primary)699 Research Concepts (primary)1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Discrepancy Information Leaks | ||
OWASP Top Ten 2007 | A6 | CWE More Specific | Information Leakage and Improper Error Handling |
OWASP Top Ten 2004 | A7 | CWE More Specific | Improper Error Handling |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Description, Name | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2009-12-28 | Discrepancy Information Leaks | |||