rspec/rules/S6776/csharp/rule.adoc

Exception stack traces contain sensitive data that the application's code should
not disclose as error messages. 

== Why is this an issue?

Stack traces contain sensitive data like filenames or folder hierarchies. 
They can expose implementation details, including the application's
architecture, logic, and potential vulnerabilities. Attackers can leverage these
valuable insights to identify weaknesses, devise attack strategies, and exploit
vulnerabilities.

// How to fix it section

include::how-to-fix-it/asp.net.adoc[]

include::how-to-fix-it/blazor.adoc[]

== Resources

=== Standards

* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure] 
* CWE - https://cwe.mitre.org/data/definitions/209[CWE-209 - Generation of Error Message Containing Sensitive Information]
* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code] 
* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222610[Application Security and Development: V-222610] - The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Source: this invocation returns a stack trace.
Sink: this invocation outputs sensitive content to the HTTP response.


endif::env-github,rspecator-view[]
Create rule S6776: Stack-traces should not be disclosed (#4133) * Add csharp to rule S6776 * Add blazor content * Add Blazor * Add how to fix it in ASP.NET section * Update rules/S6776/csharp/how-to-fix-it/blazor.adoc Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Update rules/S6776/csharp/how-to-fix-it/blazor.adoc Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> * Remove dash --------- Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Hendrik Buchwald <hendrik.buchwald@sonarsource.com> Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com> Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> 2024-08-22 11:17:16 +02:00			`Exception stack traces contain sensitive data that the application's code should`
			`not disclose as error messages.`

			`== Why is this an issue?`

			`Stack traces contain sensitive data like filenames or folder hierarchies.`
			`They can expose implementation details, including the application's`
			`architecture, logic, and potential vulnerabilities. Attackers can leverage these`
			`valuable insights to identify weaknesses, devise attack strategies, and exploit`
			`vulnerabilities.`

			`// How to fix it section`

			`include::how-to-fix-it/asp.net.adoc[]`

			`include::how-to-fix-it/blazor.adoc[]`

			`== Resources`

			`=== Standards`

			`* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]`
			`* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]`
			`* CWE - https://cwe.mitre.org/data/definitions/209[CWE-209 - Generation of Error Message Containing Sensitive Information]`
			`* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code]`
			`* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222610[Application Security and Development: V-222610] - The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.`


			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`=== Message`

			`Source: this invocation returns a stack trace.`
			`Sink: this invocation outputs sensitive content to the HTTP response.`


			`endif::env-github,rspecator-view[]`