This weakness generally requires domain-specific interpretation using manual analysis. However, the number of potential error conditions may be too large to cover completely within limited time constraints.
CWE-209 Base Brouillon
Generation of Error Message Containing Sensitive Information
This vulnerability occurs when an application reveals sensitive details about its internal systems, user data, or environment within error messages shown to users.
Définition
What is CWE-209?
This vulnerability occurs when an application reveals sensitive details about its internal systems, user data, or environment within error messages shown to users.
When an application fails, it often generates error messages to help with debugging. However, if these messages aren't carefully filtered, they can leak critical secrets like database connection strings, server file paths, user passwords, API keys, or internal system configurations. Attackers can deliberately trigger these errors to gather intelligence, making your system an open book for reconnaissance and paving the way for more targeted attacks.
To prevent this, applications must implement generic, user-friendly error messages in production environments. All detailed debugging information, stack traces, and system data should be logged securely on the server side where only authorized administrators can access them. This practice, often called 'security through obscurity,' is a fundamental layer of defense that denies attackers the information they need to exploit other weaknesses in your application.
Impact réel
Real-world CVEs caused by CWE-209
-
POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness.
-
Program reveals password in error message if attacker can trigger certain database errors.
-
Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209).
-
Existence of user names can be determined by requesting a nonexistent blog and reading the error message.
-
Direct request to library file in web application triggers pathname leak in error message.
-
Malformed input to login page causes leak of full path when IMAP call fails.
-
Malformed regexp syntax leads to information exposure in error message.
-
verbose logging stores admin credentials in a world-readablelog file
Comment les attaquants l'exploitent
Parcours de l'attaquant étape par étape
- 1
In the following example, sensitive information might be printed depending on the exception that occurs.
- 2
If an exception related to SQL is handled by the catch, then the output might contain sensitive information such as SQL query structure or private information. If this output is redirected to a web user, this may represent a security problem.
- 3
This code tries to open a database connection, and prints any exceptions that occur.
- 4
If an exception occurs, the printed message exposes the location of the configuration file the script is using. An attacker can use this information to target the configuration file (perhaps exploiting a Path Traversal weakness). If the file can be read, the attacker could gain credentials for accessing the database. The attacker may also be able to replace the file with a malicious one, causing the application to use an arbitrary database.
- 5
The following code generates an error message that leaks the full pathname of the configuration file.
Exemple de code vulnérable
Vulnerable Java
In the following example, sensitive information might be printed depending on the exception that occurs.
try {
/.../
}
catch (Exception e) {
System.out.println(e);
} Exemple de code sécurisé
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention
How to prevent CWE-209
- Implementation Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
- Implementation Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
- Implementation Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
- Implementation / Build and Compilation Debugging information should not make its way into a production release.
- Implementation / Build and Compilation Debugging information should not make its way into a production release.
- System Configuration Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
- System Configuration Create default error pages or messages that do not leak any information.
Signaux de détection
How to detect CWE-209
Automated methods may be able to detect certain idioms automatically, such as exposed stack traces or pathnames, but violation of business rules or privacy requirements is not typically feasible.
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Error conditions may be triggered with a stress-test by calling the software simultaneously from a large number of threads or processes, and look for evidence of any unexpected behavior.
Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Plexicus détecte automatiquement CWE-209 et ouvre une PR de correction en moins de 60 secondes.
Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.
Questions fréquentes Qu'est-ce que CWE-209 ?
Quelle est la gravité de CWE-209 ?
Quels langages ou plateformes sont affectés par CWE-209 ?
Comment puis-je prévenir CWE-209 ?
Comment Plexicus détecte et corrige CWE-209 ?
Où puis-je en savoir plus sur CWE-209 ?
Frequently asked questions
Qu'est-ce que CWE-209 ?
This vulnerability occurs when an application reveals sensitive details about its internal systems, user data, or environment within error messages shown to users.
Quelle est la gravité de CWE-209 ?
MITRE évalue la probabilité d'exploitation comme Élevée — cette faiblesse est activement exploitée et doit être priorisée pour la remédiation.
Quels langages ou plateformes sont affectés par CWE-209 ?
MITRE lists the following affected platforms: PHP, Java.
Comment puis-je prévenir CWE-209 ?
Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. If errors must be…
Comment Plexicus détecte et corrige CWE-209 ?
Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-209 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.
Où puis-je en savoir plus sur CWE-209 ?
MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/209.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.
Faiblesses associées
Weaknesses related to CWE-209
CWE-200 Parent
Exposure of Sensitive Information to an Unauthorized Actor
This weakness occurs when an application unintentionally reveals sensitive data to someone who shouldn't have access to it.
CWE-1258 Frère
Exposure of Sensitive System Information Due to Uncleared Debug Information
This vulnerability occurs when hardware fails to erase sensitive data like cryptographic keys and intermediate values before entering…
CWE-1273 Frère
Device Unlock Credential Sharing
This vulnerability occurs when the secret keys or passwords required to unlock a device's hidden features are shared between multiple…
CWE-1295 Frère
Debug Messages Revealing Unnecessary Information
The product's debug messages or logs expose excessive internal system details, potentially revealing sensitive information that could aid…
CWE-1431 Frère
Driving Intermediate Cryptographic State/Results to Hardware Module Outputs
This vulnerability occurs when a hardware cryptographic module leaks sensitive internal data through its output channels. Instead of only…
CWE-201 Frère
Insertion of Sensitive Information Into Sent Data
This vulnerability occurs when an application sends data to an external party, but accidentally includes sensitive information—like…
CWE-203 Frère
Observable Discrepancy
This vulnerability occurs when an application responds differently to unauthorized users based on internal conditions. Attackers can…
CWE-213 Frère
Exposure of Sensitive Information Due to Incompatible Policies
This vulnerability occurs when a system's data handling aligns with the developer's security rules but accidentally reveals information…
CWE-215 Frère
Insertion of Sensitive Information Into Debugging Code
This vulnerability occurs when developers embed sensitive data, such as passwords or API keys, within debugging statements like logs or…
Ressources
Further reading
- MITRE — CWE-209 officiel https://cwe.mitre.org/data/definitions/209.html
- Information Leakage http://projects.webappsec.org/w/page/13246936/Information%20Leakage
- Top 25 Series - Rank 16 - Information Exposure Through an Error Message https://www.sans.org/blog/top-25-series-rank-16-information-exposure-through-an-error-message
Prêt quand vous l'êtes
Arrêtez de payer par développeur.
Commencez à fermer la boucle.
Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.