T 4.87 Disclosure of confidential information in web applications

Websites and data generated and delivered by a web application can contain confidential information which is not required for the use of the web application (e.g. information on the product and versions of frameworks). This information can provide an attacker with information on the execution of targeted attacks on the web application. Consequently, unnecessary disclosure of information can facilitate a successful attack. This information can also be transferred through less obvious transmission routes (e.g. in the HTTP header).

Examples:

• Detailed information on security mechanisms or attributes is displayed which is not required by the user of a web application but provides information for potential attacks (e.g. "Enter the 6-digit, numeric PIN" instead of "Please enter the PIN"). This information could be used by an attacker to narrow down the possible character range in a brute-force attack and to thus determine a valid PIN faster.

• Comments (e.g. in the HTML source text) can contain information on known errors, functionalities, techniques used and the connected infrastructure. This enables an attacker to specifically search for vulnerabilities in the web application and the infrastructure in order to exploit these. If, for example, the access data for a database used during the development phase are mentioned, then these may also be used for unauthorised access in productive operation of the web application.

• Files with unknown file extension (e.g. temporary files with .tmp or backup files with .bak from scripts of the web application) are disclosed by the web application in the source text. In this manner, confidential information such as fixedly coded access data can be read. Furthermore, an attacker will be able to examine program sequences for vulnerabilities using the disclosed code.