Read Time:37 Second
Description
The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the application does.
Modes of Introduction:
– Implementation
Related Weaknesses
Consequences
Confidentiality: Read Application Data
Potential Mitigations
Phase: Architecture and Design, Implementation
Description:
Production applications should never use methods that generate internal details such as stack traces and error messages unless that information is directly committed to a log that is not viewable by the end user. All error message text should be HTML entity encoded before being written to the log file to protect against potential cross-site scripting attacks against the viewer of the logs