Corgea LogoCorgea Security Hub

CWE-204: Observable Response Discrepancy

Learn about CWE-204 (Observable Response Discrepancy), its security impact, exploitation methods, and prevention guidelines.

What is Observable Response Discrepancy?

• Overview: Observable Response Discrepancy (CWE-204) occurs when a system provides different responses to requests in a way that unintentionally reveals information about its internal state or behavior to unauthorized users. This can allow attackers to infer sensitive details about the system.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by sending different types of requests and analyzing the variations in responses to deduce sensitive information.
  • Common attack patterns include timing attacks, where response time differences reveal information, and error message analysis, where distinct error messages provide clues about the system.

• Security Impact:

  • Direct consequences of successful exploitation include unauthorized access to sensitive information and the ability to map out system architecture or security controls.
  • Potential cascading effects involve increased risk of other attacks, such as SQL injection or cross-site scripting, if attackers can determine exploitable entry points.
  • Business impact may include data breaches, loss of customer trust, financial losses, and regulatory penalties.

• Prevention Guidelines:

  • Specific code-level fixes include standardizing error messages and response times to prevent attackers from distinguishing between different types of requests or errors.
  • Security best practices involve implementing input validation and output encoding to minimize the information leaked through responses.
  • Recommended tools and frameworks include using web application firewalls (WAFs) to detect and block anomalous behavior, and adopting security-focused development frameworks that emphasize consistent response handling.
Corgea can automatically detect and fix Observable Response Discrepancy in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

// This function handles user login by checking credentials
function login(username, password) {
    // Simulate user data storage
    const storedUsername = "admin";
    const storedPassword = "password123";
    
    if (username !== storedUsername) {
        // Response for incorrect username
        return "Username does not exist";
    }

    if (password !== storedPassword) {
        // Response for incorrect password
        return "Incorrect password";
    }

    // Successful login
    return "Login successful";
}

Explanation of the Vulnerability

  • Observable Response Discrepancy (CWE-204): The code above exposes different error messages for incorrect usernames and passwords. This allows an attacker to distinguish between invalid usernames and invalid passwords, making it easier to identify valid usernames. Once a valid username is identified, the attacker can focus on guessing the password, thereby increasing the risk of successful brute force or credential stuffing attacks.

How to fix Observable Response Discrepancy?

To mitigate this vulnerability, the application should provide a uniform response for all unsuccessful login attempts, regardless of whether the username or password is incorrect. This approach prevents attackers from deducing valid usernames.

Fixed Code Example

// This function handles user login by checking credentials securely
function login(username, password) {
    // Simulate user data storage
    const storedUsername = "admin";
    const storedPassword = "password123";
    
    // Check credentials and provide a uniform response for failures
    if (username !== storedUsername || password !== storedPassword) {
        // Generic response for any incorrect credential
        return "Invalid username or password";
    }

    // Successful login
    return "Login successful";
}

Explanation of the Fix

  • Consistent Error Message: The fixed code provides a single, generic error message "Invalid username or password" for any login failure, whether due to an incorrect username or password. This prevents attackers from being able to determine which part of the login credentials was incorrect, thus protecting against the identification of valid usernames and reducing the potential for further attacks.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-204: Observable Response Discrepancy and get remediation guidance

Start for free and no credit card needed.