CWE-536 通过Servlet运行时错误消息导致的信息暴露
Information Exposure Through Servlet Runtime Error Message
结构: Simple
Abstraction: Variant
状态: Incomplete
被利用可能性: unkown
基本描述
A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 210 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 210 cwe_View_ID: 699 cwe_Ordinal: Primary
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Confidentiality | Read Application Data | The error message may contain the location of the file in which the offending function is located. This may disclose the web root's absolute path as well as give the attacker the location of application files or configuration information. It may even disclose the portion of code that failed. In many cases, an attacker can use the data to launch further attacks against the system. |
示例代码
例
The following servlet code does not catch runtime exceptions, meaning that if such an exception were to occur, the container may display potentially dangerous information (such as a full stack trace).
bad Java
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("username");
// May cause unchecked NullPointerException.
if (username.length() ...
}
}文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论