Information Leak
What does this mean ?
When a website mistakenly provides sensitive information to its users, this is known as information leak. The risks of leaking sensitive customer or corporate data are self-evident, but revealing technical information can be just as dangerous.
What can happen ?
The act of exposing sensitive material can have a significant impact on the persons involved. Leaking technical information, such as directory structure or third-party frameworks, may have little to no immediate impact. However, in the wrong hands, this knowledge might be used to build any number of different vulnerabilities.
Recommendation
- Make certain that everyone engaged in the website's creation is completely aware of what material is deemed sensitive.
- As part of your QA or build procedures, audit any code for possible information leakage.
- As much as possible, use generic error messages.
Sample Code
Vulnerable :
warningDialogBox = this.myWidgetFactoryWrapper.createHtmlDialogBox()
warningDialogBox.setText("WARNING: Could not connect to app server at " + serverAddress)
try {
int num1 = 5/0;
}
catch (Throwable e) {
e.printStackTrace();
}
System.out.println(outputStream.toString())
Non Vulnerable :
warningDialogBox = this.myWidgetFactoryWrapper.createHtmlDialogBox()
LOGGER.warning("WARNING: Could not connect to app server at " + serverAddress)
warningDialogBox.setText("Unable to connect to application server, please contact support.")
Vulnerable :
<?php
echo phpinfo();
?>
Non Vulnerable :
<?php
// echo phpinfo();
?>
Vulnerable :
console.log(information)