2

Our project uses Fortify to scan our codes. After Scanning the codes, there is an Audit problem since HttpServletResponse directly writes the error message.

response.getWriter().println(e.getLocalizedMessage());

The followings are the explain about this issue.

Abstract:

The function processNonPersistenceException() in Utility.java might reveal system data or debugging information by calling println() on line 86. The information revealed by println() could help an adversary form a plan of attack.

Explanation:

An external information leak occurs when system data or debugging information leaves the program to a remote machine via a socket or network connection. External leaks can help an attacker by revealing specific data about operating systems, full pathnames, the existence of usernames, or locations of configuration files, and are more serious than internal information leaks which are more difficult for an attacker to access.

In this case println() is called in Utility.java at line 86.

And the recommendations are;

Recommendations:

Write error messages with security in mind. In production environments, turn off detailed error information in favor of brief messages. Restrict the generation and storage of detailed output that can help administrators and programmers diagnose problems. Be careful, debugging traces can sometimes appear in non-obvious places (embedded in comments in the HTML for an error page, for example).

Even brief error messages that do not reveal stack traces or database dumps can potentially aid an attacker. For example, an "Access Denied" message can reveal that a file or user exists on the system. Due to this, it's advised to always keep information instead of sending it to a resource directly outside the program.

I don't really know how to fix this issue. Do you have any suggestion? Many thanks.

BR Alex

Alex Du
  • 21
  • 1
  • 1
  • 4

2 Answers2

1

I was looking for an answer for similar problem and came across this.

The problem in this code is very clearly sending the actual Exception message to the end user.

It is advised to not pass on the actual Exception trace or Underlying code details in error message.

This is mainly to avoid a hacker to be able to identify more details about your program. A stack trace or exception message can give too much information to the hacker. At the same time it also does not help a end user.

Simply fix it by adding a simpler message. e.g. "Unexpected Error occurred. Please try later" or something better.

Community
  • 1
  • 1
software.wikipedia
  • 709
  • 7
  • 17
  • Thank you very much for your answer. But your solution "adding a simpler message" cannot be applied. The exception message has been replaced by ourselves message, not including and "trace log". We will try to not use exception to pass message. – Alex Du Apr 07 '17 at 05:43
1

Exception messages often contain information helpful to attackers, such as the particular libraries, DB, and other components used in your software.

Instead of displaying the exception message, display a generic, human-readable message ("An error occurred, please try again. If you need to contact support, reference case number 36313.") This is more user-friendly (it says what to do about the problem), and doesn't provide information that's useful to attackers. Server-side, log the error message and associate it with the case number, so your support team can see all the info.

Mike Peters
  • 86
  • 3