Information Exposure Through an Error Message: utility.jsp
Created by: armorcodegithubqa[bot]
The application calls the javax.servlet.jsp.JspWriter.print() function, which may expose information about the application logic or other details such as the names and versions of the application container and associated components. This information can be useful in executing other attacks and can also enable the attacker to target known vulnerabilities in application components. The first argument to print() contains data from an error message (possibly containing untrusted data) from the variable errorMessage. The data from an error message (possibly containing untrusted data) originated from an earlier call to java.lang.Throwable.printStackTrace. The data from an error message (possibly containing untrusted data) is directed into an output stream returned by javax.servlet.jsp.JspWriter.
Ensure that error codes or other messages returned to end users are not overly verbose. Sanitize all messages of any sensitive information that is not absolutely necessary.
References: CWE (http://cwe.mitre.org/data/definitions/209.html)
File Path: utility.jsp
Mitigation: Apply robust input filtering for all user-supplied data, using centralized data validation routines when possible. Use output filters to sanitize all output derived from user-supplied input, replacing non-alphanumeric characters with their HTML entity equivalents.
https://qa.armorcode.ai/#/findings/6498494
Knowledge Base: Error Handling Flaws - Information and How to Fix:https://qa.armorcode.ai/#/knowledgeBase/40