Corgea LogoCorgea Security Hub

CWE-223: Omission of Security-relevant Information

Learn about CWE-223 (Omission of Security-relevant Information), its security impact, exploitation methods, and prevention guidelines.

What is Omission of Security-relevant Information?

• Overview: CWE-223, Omission of Security-relevant Information, occurs when a product fails to capture or display critical information needed to identify the source or nature of an attack or to verify the safety of an action. This can make it difficult to detect or respond to security incidents.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by performing actions that are not logged or poorly logged, making it difficult to trace their activities.
  • Common attack patterns include exploiting systems that do not log failed login attempts or do not provide sufficient detail in logs to identify malicious actions.

• Security Impact:

  • Direct consequences of successful exploitation include the inability to detect unauthorized access or attacks, leading to undetected breaches.
  • Potential cascading effects involve prolonged exposure to threats, as security teams may not have enough information to respond effectively.
  • Business impact can include increased risk of data breaches, loss of customer trust, and non-compliance with regulatory requirements.

• Prevention Guidelines:

  • Specific code-level fixes include ensuring that logs capture detailed security-relevant information such as timestamps, user IDs, and IP addresses.
  • Security best practices involve implementing comprehensive logging strategies and regularly reviewing logs for suspicious activities.
  • Recommended tools and frameworks include using centralized logging solutions like ELK Stack or Splunk, and employing security information and event management (SIEM) systems to analyze and correlate log data.
Corgea can automatically detect and fix Omission of Security-relevant Information in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

Python Example

import logging
from flask import Flask, request

app = Flask(__name__)
logging.basicConfig(filename='access.log', level=logging.INFO)

@app.route('/login', methods=['POST'])
def login():
    username = request.form['username']
    password = request.form['password']
    
    # Vulnerable: Logging does not include IP address or user agent
    logging.info('Login attempt for user: %s', username)
    
    # Simulated authentication logic
    if username == 'admin' and password == 'password123':
        return "Login successful", 200
    else:
        return "Login failed", 401

if __name__ == '__main__':
    app.run()

Vulnerability Explanation:

  • Omission of Security-relevant Information: The logging statement records login attempts but omits crucial security information such as the client's IP address and User-Agent.
  • Impact: Without logging this information, it becomes difficult to trace the source of potential attacks or unauthorized access attempts, which impairs the ability to detect and respond to security incidents effectively.

How to fix Omission of Security-relevant Information?

Fixed Code Example

import logging
from flask import Flask, request

app = Flask(__name__)
logging.basicConfig(filename='access.log', level=logging.INFO, format='%(asctime)s - %(message)s')

@app.route('/login', methods=['POST'])
def login():
    username = request.form['username']
    password = request.form['password']
    
    # Fixed: Logging includes IP address and User-Agent
    client_ip = request.remote_addr
    user_agent = request.headers.get('User-Agent')
    logging.info('Login attempt for user: %s from IP: %s with User-Agent: %s', username, client_ip, user_agent)
    
    # Simulated authentication logic
    if username == 'admin' and password == 'password123':
        return "Login successful", 200
    else:
        return "Login failed", 401

if __name__ == '__main__':
    app.run()

Explanation of Fix:

  • Enhanced Logging: The logging statement now captures and records the client's IP address and User-Agent, in addition to the username.
  • Comprehensive Information: This additional information is crucial for tracing security events back to their origin and understanding the context of the requests, which aids in security monitoring and forensic investigations.
  • Best Practices: The logging format now includes timestamps, which are essential for chronological tracing of events.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-223: Omission of Security-relevant Information and get remediation guidance

Start for free and no credit card needed.