AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Sensitive Information Exposure

The attacker can read the sensitive system related information through the responses the application provides

Severity

Medium

Fix Cost

Low

Trust Level

Low

Sensitive information leakage is a relative and wide-scope issue that should be evaluated for each software project and use case. However, as a general rule of thumb no software should disclose any sensitive information through application responses.

For example, if printing current directory to the response is unnecessary and the goal could be achieved by using different means then the usage should be prevented in the code below;

                                     
public class SearchController : ApiController
{
[HttpPost]
public HttpResponseMessage Search(String criteria)
{
   	 
Cookie cookie = new Cookie("pwd", Environment.CurrentDirectory);
response.addCookie(cookie);    
   	 
// return
}
                   
            

There are other environmental and server specific ways of accessing sensitive information and some of them are listed as properties under System.Environment, System.Web.HttpServerUtility and System.Web.HttpRuntime classes.

Sensitive information leakage is a relative and wide-scope issue that should be evaluated for each software project and use case. However, as a general rule of thumb no software should disclose any sensitive information through application responses.

For example, if printing current directory to the response is unnecessary and the goal could be achieved by using different means then the usage should be prevented in the code below;


public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException  {
 
String currentDir = System.getProperty("user.dir");
Cookie cookie=new Cookie("cwd", currentDir);

response.addCookie(cookie);
 
...
}
    

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!