Information Exposure of Internal State Through Behavioral Inconsistency| ID: 206 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Variant |
Description
Two separate operations in a product cause the product to
behave differently in a way that is observable to an attacker and reveals
security-relevant information about the internal state of the product, such as
whether a particular operation was successful or not.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| ConfidentialityAccess_Control | Read application
dataBypass protection
mechanism | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| | | Setup generic response pages for error condition. The error page
should not disclose information about the success or failure of a
sensitive operation. For instance, the login page should not confirm
that the login is correct and the password incorrect. The attacker who
tries random account name may be able to guess some of them. Confirming
that the account exists would make the login page more susceptible to
brute force attack. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-206 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2002-2031 : File existence via infoleak monitoring whether "onerror" handler fires or not.
- CVE-2005-2025 : Valid groupname enumeration via behavioral infoleak (sends response if valid, doesn't respond if not).
- CVE-2001-1497 : Behavioral infoleak in GUI allows attackers to distinguish between alphanumeric and non-alphanumeric characters in a password, thus reducing the search space.
- CVE-2003-0190 : Product immediately sends an error message when user does not exist instead of waiting until the password is provided, allowing username enumeration.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Internal behavioral inconsistency infoleak | |
References:None
