logo

Observable Internal Behavioral Discrepancy

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when a system's internal steps or decisions become visible to an attacker because the system behaves differently at each stage. Instead of presenting a single, unified result, the product leaks information about its internal checks, allowing an attacker to map its logic and pinpoint weaknesses.

Extended Description

A secure system should act like a black box, giving attackers minimal feedback. When internal behaviors—like checking a username before verifying a password—produce distinct, observable responses, they create a roadmap for exploitation. Attackers can use these discrepancies to refine their approach, focusing only on the parts of the process that matter, which dramatically reduces the effort needed for a successful attack. For developers, the core principle is to ensure all execution paths for a given operation result in identical external behavior. In the classic login example, both an invalid username and an incorrect password should trigger the same generic error message and timing. By consolidating outputs and eliminating behavioral clues, you remove the signposts attackers rely on to understand and compromise your system's internal state.
Common Consequences 1
Scope: ConfidentialityAccess Control

Impact: Read Application DataBypass Protection Mechanism
Potential Mitigations 1
Setup generic response pages for error conditions. The error page should not disclose information about the success or failure of a sensitive operation. For instance, the login page should not confirm that the login is correct and the password incorrect. The attacker who tries random account name may be able to guess some of them. Confirming that the account exists would make the login page more susceptible to brute force attack.
Observed Examples 4
CVE-2002-2031File existence via infoleak monitoring whether "onerror" handler fires or not.
CVE-2005-2025Valid groupname enumeration via behavioral infoleak (sends response if valid, doesn't respond if not).
CVE-2001-1497Behavioral infoleak in GUI allows attackers to distinguish between alphanumeric and non-alphanumeric characters in a password, thus reducing the search space.
CVE-2003-0190Product immediately sends an error message when user does not exist instead of waiting until the password is provided, allowing username enumeration.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Weaknesses
ChildOf: Observable Behavioral Discrepancy (CWE-205)
Taxonomy Mapping
  • PLOVER