information leakage._information interview

information leakage._information interviewhttps://www.owasp.org/index.php/Information_LeakageExamplesExample1Thefollowingcodeprintsthepathenvironmentvariabletothestandarderrorstream: char*path=getenv(“PATH”); …

大家好,又见面了,我是你们的朋友全栈君。如果您正在找激活码,请点击查看最新教程,关注关注公众号 “全栈程序员社区” 获取激活教程,可能之前旧版本教程已经失效.最新Idea2022.1教程亲测有效,一键激活。

Jetbrains全系列IDE使用 1年只要46元 售后保障 童叟无欺

https://www.owasp.org/index.php/Information_Leakage

Examples

Example 1

The following code prints the path environment variable to the standard error stream:

	char* path = getenv("PATH");
	... 
	sprintf(stderr, "cannot find exe on path %s\n", path);

Example 2

The following code prints an exception to the standard error stream:

	try {
		...
	} catch (Exception e) {
		e.printStackTrace();
	}

Depending upon the system configuration, this information can be dumped to a console, written to a log file, or exposed to a remote user. In some cases the error message tells the attacker precisely what sort of an attack the system will be vulnerable to. For example, a database error message can reveal that the application is vulnerable to a SQL injection attack. Other error messages can reveal more oblique clues about the system. In the example above, the search path could imply information about the type of operating system, the applications installed on the system, and the amount of care that the administrators have put into configuring the program.

Accidental leaking of sensitive information through data queries

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

Consequences

  • Confidentiality: Sensitive information may possibly be disclosed through data queries accidentally.

Exposure period

  • Design: Proper mechanisms for preventing this kind of problem generally need to be identified at the design level.

Avoidance and mitigation

This is a complex topic. See the book Translucent Databases for a good discussion of best practices.

In situations where data should not be tied to individual users, but a large number of users should be able to make queries that “scrub” the identity of users, it may be possible to get information about a user – e.g., by specifying search terms that are known to be unique to that user.

Accidental leaking of sensitive information through error messages

Server messages need to be parsed before being passed on to the user.

Consequences

  • Confidentiality: Often this will either reveal sensitive information which may be used for a later attack or reveal private information stored in the server.

Exposure period

  • Implementation: This flaw is a simple logic issue, introduced entirely at implementation time.
  • Build: It is important to adequately set read privileges and otherwise operationally protect the log.

Platform

  • Languages: Any; it is especially prevalent, however, when dealing with SQL or languages which throw errors.
  • Operating platforms: Any

Avoidance and mitigation

  • Implementation: Any error should be parsed for dangerous revelations.
  • Build: Debugging information should not make its way into a production release.

Discussion

Once an attack has failed, the first thing an attacker may use to stage the next attack is the error information provided by the server.

SQL Injection attacks generally probe the server for information in order to stage a successful attack.

Example: In Java:

try {
  /.../
} catch (Exception e) {
  System.out.println(e);
}

Here you are passing much more data than is needed.

Another example is passing SQL exceptions to a WebUser without filtering.

Accidental leaking of sensitive information through sent data

The accidental leaking of sensitive information through sent data refers to the transmission of data which is either sensitive in and of itself, or useful in the further exploitation of the system through standard data channels.

Consequences

  • Confidentiality: Data leakage results in the compromise of data confidentiality.

Exposure period

  • Requirements specification: Information output may be specified in the requirements documentation.
  • Implementation: The final decision as to what data is sent is made at implementation time.

Avoidance and mitigation

  • Requirements specification: Specify data output such that no sensitive data is sent.
  • Implementation: Ensure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere.

Accidental data leakage occurs in several places and can essentially be defined as unnecessary data leakage. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent.

The following is an actual MySQL error statement:

Warning: mysql_pconnect(): 
Access denied for user: 'root@localhost' (Using password: N1nj4) in /usr/local/www/wi-data/includes/database.inc on line 4

Missing Catch Block

If a Servlet fails to catch all exceptions, it may reveal debugging information that will help an adversary form a plan of attack.

When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

Example 1

In the following method a DNS lookup failure will cause the Servlet to throw an exception.

	protected void doPost (HttpServletRequest req,                 
						HttpServletResponse res)
				  throws IOException {
		String ip = req.getRemoteAddr();
		InetAddress addr = InetAddress.getByName(ip);
		...
		out.println("hello " + addr.getHostName());
	}

Example 2

The following method will throw a NullPointerException if the parameter “name” is not part of the request.

	protected void doPost (HttpServletRequest req,                 
						HttpServletResponse res)
				  throws IOException {
		String name = getParameter("name");
		...
		out.println("hello " + name.trim());
	}

A good error handling mechanism always tries to capture all exceptions and returns a generic error message that does not reveal any details about the error and the application. Depending on the platform and container the application is running on, there can be different options.

  • Set a generic custom error page for all unhandled exceptions at the container level. (Normally, this is set in the configuration file.) The generic custom error page should have a simple error message that does not reveal any details about the exception happened.
    • In ASP.NET, it is the customError tag in the web.config file
  • Use an global error handler to capture all unhandled exceptions.
    • In ASP.NET, it is the Application_Error sub in the global.asax file.
  • Handle the error in the page level
    • In ASP.NET, it is the Page_Error sub on the aspx page or associated codebehind page

 

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

发布者:全栈程序员-用户IM,转载请注明出处:https://javaforall.cn/192258.html原文链接:https://javaforall.cn

【正版授权,激活自己账号】: Jetbrains全家桶Ide使用,1年售后保障,每天仅需1毛

【官方授权 正版激活】: 官方授权 正版激活 支持Jetbrains家族下所有IDE 使用个人JB账号...

(0)


相关推荐

  • Java并发面试_常见面试题

    Java并发面试_常见面试题预览并发问题详解请谈谈你对volatile的理解linkCAS你知道吗?link原子类Atomiclntegerl的ABA问题谈谈?原子更新引用知道吗?link我们知道ArrayList是线程不安全,请编码写一个不安全的案例并给出解决方案link公平锁/非公平锁/可重入锁/递归锁/自旋锁谈谈你的理解?请手写一个自旋锁linkCountDownLatch/CyclicBarrier/Semaphore使用过吗?link阻塞队列知道吗?l

  • awk命令详解

    awk命令详解概述awk是专门为文本处理设计的编程语言,与sed类似都是以数据驱动的行处理软件,主要用于数据扫描、过滤、统计汇总工作,数据可以来自标准输入、管道或者文件。awk在20世纪70年代诞生与贝尔实验室。现在使用的版本是1988年发布的Gnuawk。基础语法记录与字段awk是一种处理文本文件的编程语言,文件的每行数据都被称为记录,默认以空格或制表符为分隔符,每条记录被分成若干字段(列),awk每次从文件中读取一条记录。语法格式:awk[选项]‘条件{动作}条件{动作}……’

  • goland 2022 永久激活码_在线激活2022.03.13「建议收藏」

    (goland 2022 永久激活码)2021最新分享一个能用的的激活码出来,希望能帮到需要激活的朋友。目前这个是能用的,但是用的人多了之后也会失效,会不定时更新的,大家持续关注此网站~IntelliJ2021最新激活注册码,破解教程可免费永久激活,亲测有效,下面是详细链接哦~https://javaforall.cn/100143.html…

  • 利用ADB命令强制卸载oppo自带浏览器

    利用ADB命令强制卸载oppo自带浏览器

    2020年11月19日
  • XSS攻击拦截_struts拦截器作用

    XSS攻击拦截_struts拦截器作用struts2拦截器添加及xss攻击的处理

  • MVC过滤器的详细讲解和示范样本

    MVC过滤器的详细讲解和示范样本

发表回复

您的电子邮箱地址不会被公开。

关注全栈程序员社区公众号