Servlet Runtime Error Message Containing Sensitive Information
Incomplete Variant
Structure: Simple
Description
A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.
Common Consequences 1
Scope: Confidentiality
Impact: Read Application Data
The error message may contain the location of the file in which the offending function is located. This may disclose the web root's absolute path as well as give the attacker the location of application files or configuration information. It may even disclose the portion of code that failed. In many cases, an attacker can use the data to launch further attacks against the system.
Demonstrative Examples 1
ID : DX-190
The following servlet code does not catch runtime exceptions, meaning that if such an exception were to occur, the container may display potentially dangerous information (such as a full stack trace).Code Example:
Bad
Java
java// May cause unchecked NullPointerException.* if (username.length() < 10) { ``` ... } }
Modes of Introduction
Implementation
Related Weaknesses