Leakage of Sensitive Information in Exception Messages

Overview

• Rule ID: java_lang_information_leakage

• Applicable Languages: Java

• Weakness ID: CWE-209

Description

Exception messages that expose sensitive information can be a critical security vulnerability. When exception details are printed directly to the default output, they might reveal crucial information about the application’s configuration or environment, such as file paths, server details, or database configurations. This not only aids attackers in identifying potential entry points but also risks exposing user-specific data, leading to privacy violations.

Risks

• Security Risks: Revealing system information can aid attackers in crafting more effective attacks, such as path traversal.

• Privacy Risks: User-specific information in exception messages can lead to serious privacy breaches.

Remediation Guidelines

• Avoid Printing Stack Traces: Refrain from printing full stack traces to the console or logs that are accessible to users.

  Copy

  // Avoid this approach
  System.out.println(e); // Unsafe
  

• Provide General Error Messages: Ensure that error messages are generic and do not include sensitive information.

  Copy

  // Use this approach
  System.out.println("An error occurred. Please try again.");

References

• Web Application Security Consortium: Information Leakage

• CWE-209: Generation of Error Message Containing Sensitive Information

• OWASP Top 10: A04:2021 - Insecure Design

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL