Information Leak Through Servlet Runtime Error Message
Weakness ID: 536 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.
+ Time of Introduction
  • Implementation
+ Common Consequences
ScopeEffect
Confidentiality
Access Control

In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.

+ Demonstrative Examples

Example 1

The following servlet code does not catch runtime exceptions, meaning that if such an exception were to occur, the container may display potentially dangerous information (such as a full stack trace).

(Bad Code)
Example Language: Java 
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("username");

// May cause unchecked NullPointerException.
if (username.length() < 10) {
...
}
}
+ Potential Mitigations

Do not expose sensitive error information to the user.

+ Other Notes

The error message may contain the location of the file in which the offending function is located. This may disclose the web root's absolute path as well as give the attacker the location of application include files or configuration information. It may even disclose the portion of code that failed.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base210Product-Generated Error Message Information Leak
Development Concepts (primary)699
Research Concepts (primary)1000
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Anonymous Tool Vendor (under NDA)Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings
2009-10-29CWE Content TeamMITREInternal
updated Common Consequences
Back to top