Information leakage is a weakness where an application reveals sensitive information such as technical details, environment details, or user-specific data. Sensitive data may be used by an attacker to plan out more refined attacks against the application.
Resources, such as files and directories may be inadvertently exposed through mechanisms such as insecure permissions, or when a program accidentally operates on the wrong object. Alternatively, information is accidentally transmitted over an insecure channel. In addition, information identifying architecture, software, and versions, may provide an attacker with details to focus further attacks. Error messages are also a big source of sensitive information.
Regardless the result is that a resource has been exposed to the an entity that is not authorized to view the data because the software incorrectly maintains control over a resource throughout its lifetime.
Impact of Information Leakage
Customer Names: Amazon exposed customer names and emails in a ‘technical error’
Some Amazon customers received an email from the company telling them their names and emails had been exposed due to a “technical error.” The impact of information leakage issues such as this can range from customers having to reset passwords, change significant elements of their identity (SIN/SSN), to providing an attacker with information about the site and its hosting environment.
Testing for Information Leakage for Java
Testing for information leakage involves:
- Using a search engine to discover any information about the web application (google dorks, etc)
- Attempting to fingerprint the web server and web application
- Access web server meta files for information on file paths
- fingerprint web application framework via cookies and header
- Follow all code paths to attempt to generate exception errors
- unit test extreme error conditions and confirm errors and exception are handled
Examples of Information Leakage
The code below exposes that a given username does not exist in an error message. This enables an attacker to itemize valid and invalid usernames.
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String username = request.getParameter("username");
String password = request.getParameter("password");
if(LoginDao.validateUser(username)) {
out.print("Sorry - no such username");
RequestDispatcher rd=request.getRequestDispatcher("index.html");
rd.include(request,response);
}
...Java Fixes for Information Leakage
Scrub HTML pages for user information, environment specific information, and technical details that would help attackers learn more about the application, its users, or it’s environments Be careful to not provide sensitive information in error messages and ensure all errors and exceptions are handled in a controlled manner.
Tales
Information Leakage Example: UNICEF data leak reveals personal info of 8,000 online learners
The United Nations Children’s Fund (UNICEF) accidentally exposed the personal information of thousands of users of its online learning portal. This was caused by an email which was sent to 20,000 users of the same portal.
References
CWE-200: Information Exposure
CWE-664: Improper Control of a Resource Through its Lifetime
WASC-13: Information Leakage
OWASPTop 10-2017 A3: Sensitive Data Exposure
