| Name | Fuzzing and observing application log data/errors for application mapping |
| Summary | An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information. |
| Prerequisites | The target application must fail to sanitize incoming messages adequately before processing. |
| Solutions | Design: Construct a 'code book' for error messages. When using a code book, application error messages aren't generated in string or stack trace form, but are catalogued and replaced with a unique (often integer-based) value 'coding' for the error. Such a technique will require helpdesk and hosting personnel to use a 'code book' or similar mapping to decode application errors/logs in order to respond to them normally. Design: wrap application functionality (preferably through the underlying framework) in an output encoding scheme that obscures or cleanses error messages to prevent such attacks. Such a technique is often used in conjunction with the above 'code book' suggestion. Implementation: Obfuscate server fields of HTTP response. Implementation: Hide inner ordering of HTTP response header. Implementation: Customizing HTTP error codes such as 404 or 500. Implementation: Hide HTTP response header software information filed. Implementation: Hide cookie's software information filed. Implementation: Obfuscate database type in Database API's error message. |
| Related Weaknesses |
| CWE ID | Description |
| CWE-209 | Generation of Error Message Containing Sensitive Information |
| CWE-532 | Insertion of Sensitive Information into Log File |
|
