Information Exposure Through Error Message

java.information_exposure_through_error_message

Severity

low

Resource

Information Leak

Language

Java

Description

Generation of error messages containing sensitive information.

Rationale

Error messages are an integral part of application development, used to communicate issues in the code to the developers. However, in a production environment, overly detailed error messages can become a security liability. For example, stack traces or database exception messages can disclose information about file paths, internal IP addresses, stack traces, database structure, or library versions, all of which can be exploited if in the hands of a malicious user.

try {
    // Code that might throw an exception
    int result = Integer.parseInt(userInput);
} catch (NumberFormatException e) {
    e.printStackTrace();  // Problematic: Directly prints stack trace
}

In the example above, e.printStackTrace() can reveal information about the application’s structure, potentially aiding an attacker. Consider replacing this with logging mechanisms that don’t expose implementation details to users.

Remediation

To remediate instances of information exposure through error messages, the primary action is to limit the detail provided in exceptions sent to the end-user. Consider the following steps:

Generic Error Messages: Ensure that user-facing error messages do not reveal detailed system information. Use generic language and avoid technical specifics.
Centralized Error Handling: Employ a global exception handling strategy using a framework that standardizes error responses across your applications.
Logging: Utilize logging frameworks to log detailed error information securely, ensuring logs do not expose sensitive data.
Security Review: Review all instances where exceptions are caught and handled, ensuring they follow the guidelines above, particularly in areas of code that are publicly accessible.

Following these steps reduces the risk of sensitive data exposure through error messages, thereby strengthening the security posture of the application.

In Java, you may use Spring’s @ControllerAdvice or @ExceptionHandler annotations for specialized and controlled error handling from a central location.

Logging frameworks like SLF4J with Logback can be used to log detailed error information securely, ensuring logs do not expose sensitive data.

Configuration

The detector has the following configurable parameters:

allow_explicitly_thrown_errors to allow explicitly thrown errors.

References

CWE-209 : Generation of Error Message Containing Sensitive Information.
OWASP Top 10 2021 - A4 : Insecure Design.
ERR01-J: Do not allow exceptions to expose sensitive information, in SEI CERT Coding Standard for Java.