Corgea LogoCorgea Security Hub

CWE-203: Observable Discrepancy

Learn about CWE-203 (Observable Discrepancy), its security impact, exploitation methods, and prevention guidelines.

What is Observable Discrepancy?

• Overview: Observable Discrepancy (CWE-203) is a vulnerability where a software product behaves differently or sends varying responses based on certain conditions, which can be detected by unauthorized users. These differences can inadvertently disclose sensitive information about the system's state or operations.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by observing how a system's response changes under different inputs or conditions.
  • Common attack patterns include timing attacks, where differences in response times are measured, and control flow analysis, where variations in application behavior are monitored.

• Security Impact:

  • Direct consequences include the exposure of sensitive information, such as whether a specific operation succeeded or failed.
  • Potential cascading effects might involve enabling further attacks that exploit the leaked information, such as credential brute-forcing or targeted attacks on specific functionalities.
  • Business impact includes loss of customer trust, potential data breaches, and compliance violations leading to financial penalties.

• Prevention Guidelines:

  • Specific code-level fixes include ensuring consistent response times and behaviors regardless of the input or state, such as adding uniform delays in responses.
  • Security best practices involve minimizing error information in responses and logging detailed errors internally instead of exposing them to users.
  • Recommended tools and frameworks include static analysis tools to detect potential discrepancies and security testing tools that simulate attacks to identify observable discrepancies.
Corgea can automatically detect and fix Observable Discrepancy in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not Technology-Specific

Vulnerable Code Example

function authenticateUser(username, password) {
    // Check if the user exists in the database
    if (!userExists(username)) {
        return "User does not exist"; // Observable discrepancy: reveals user existence
    }
    // Verify if the password matches
    if (!checkPassword(username, password)) {
        return "Incorrect password"; // Observable discrepancy: reveals password status
    }
    return "Authentication successful";
}

How to fix Observable Discrepancy?

To mitigate the observable discrepancy vulnerability, use a single, generic error message for any type of authentication failure. This change prevents attackers from determining whether a username is valid or if the password is incorrect, thus reducing the potential attack surface for enumeration attacks.

Fixed Code Example

function authenticateUser(username, password) {
    // Check if the user exists and the password is correct
    if (!userExists(username) || !checkPassword(username, password)) {
        return "Invalid username or password"; // Generic error message prevents enumeration
    }
    return "Authentication successful";
}

In both examples, specific error messages that informed the attacker about the existence of a username and the correctness of the password have been removed. Instead, a single, generic error message is returned. This approach aligns with security best practices by not disclosing unnecessary information to potential attackers, effectively mitigating the risk of enumeration attacks.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-203: Observable Discrepancy and get remediation guidance

Start for free and no credit card needed.