CWE-550: Server-generated Error Message Containing Sensitive Information
Learn about CWE-550 (Server-generated Error Message Containing Sensitive Information), its security impact, exploitation methods, and prevention guidelines.
What is Server-generated Error Message Containing Sensitive Information?
• Overview: Server-generated error messages that contain sensitive information can inadvertently expose details about the server, application, or infrastructure to potential attackers. These messages are typically generated during network failures or other error conditions and may reveal information that can be used maliciously.
• Exploitation Methods:
- Attackers can exploit this vulnerability by deliberately causing errors or failures to trigger detailed error messages.
- Common attack patterns include sending unexpected input to the server or deliberately causing network disruptions to observe error message outputs.
• Security Impact:
- Direct consequences of successful exploitation include disclosure of sensitive information such as server configurations, software versions, or database error details.
- Potential cascading effects include increased risk of targeted attacks, such as SQL injection or cross-site scripting, based on the disclosed information.
- Business impact can include data breaches, loss of customer trust, and potential regulatory fines if sensitive data is exposed.
• Prevention Guidelines:
- Specific code-level fixes include configuring error messages to be generic in production environments and ensuring they do not reveal sensitive information.
- Security best practices involve implementing proper error handling, logging detailed error messages internally only, and displaying user-friendly messages to end-users.
- Recommended tools and frameworks include using application-level error handling libraries and logging frameworks that support secure logging practices.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not specified
Affected Technologies: Not specified