Bug WikiSecurity & Access ControlInformation disclosure
1 example

Information disclosure

Sensitive information exposed unintentionally.

[ FAQ1 ]

What is information disclosure?

Information disclosure is a security vulnerability where sensitive data such as internal error messages, stack traces, credentials, or private user information is accidentally revealed by an application. Often resulting from improper error handling or missing security headers, these disclosures can provide attackers with valuable insights into system architecture, application logic, or sensitive data. Information disclosure risks are highlighted by security organizations like OWASP as common vulnerabilities because they significantly increase the potential for targeted attacks or exploitation.
[ FAQ2 ]

How to prevent information disclosure vulnerabilities

To prevent information disclosure, implement strict error handling to ensure applications do not expose detailed internal error messages, stack traces, or debug information to end-users. Configure appropriate security headers (such as Content Security Policy, X-Content-Type-Options, and X-Frame-Options) to safeguard against unintended disclosures. Regularly scan and review application logs and responses to detect leaks of sensitive data proactively. Adopt secure coding standards recommended by OWASP, continuously train developers on privacy and security practices, and regularly conduct security assessments and penetration tests to uncover and address potential disclosure vulnerabilities.
m47r1x/webgoat·#1
diff block
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.clientsidefiltering;
+
+import jakarta.annotation.PostConstruct;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.util.FileCopyUtils;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.InputSource;
+
+@RestController
+@Slf4j
+public class Salaries {
+
+ @Value("${webgoat.user.directory}")
+ private String webGoatHomeDirectory;
+
+ @PostConstruct
+ public void copyFiles() {
+ ClassPathResource classPathResource = new ClassPathResource("lessons/employees.xml");
+ File targetDirectory = new File(webGoatHomeDirectory, "/ClientSideFiltering");
+ if (!targetDirectory.exists()) {
+ targetDirectory.mkdir();
+ }
+ try {
+ FileCopyUtils.copy(
+ classPathResource.getInputStream(),
+ new FileOutputStream(new File(targetDirectory, "employees.xml")));
+ } catch (IOException e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ @GetMapping("clientSideFiltering/salaries")
+ @ResponseBody
+ public List<Map<String, Object>> invoke() {
+ NodeList nodes = null;
+ File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml");
Greptile
greptile
logic: No validation of XML file existence or permissions before attempting to read. Could lead to information disclosure.
suggested fix
File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml");
+ if (!d.exists() || !d.canRead()) {
+ throw new RuntimeException("Cannot access employees.xml file");
}