ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6776/csharp/rule.adoc
github-actions[bot] 1c2ab2361a
Create rule S6776: Stack-traces should not be disclosed (#4133) 
* Add csharp to rule S6776

* Add blazor content

* Add Blazor

* Add how to fix it in ASP.NET section

* Update rules/S6776/csharp/how-to-fix-it/blazor.adoc

Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com>

* Update rules/S6776/csharp/how-to-fix-it/blazor.adoc

Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com>

* Remove dash

---------

Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com>
Co-authored-by: Hendrik Buchwald <hendrik.buchwald@sonarsource.com>
Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com>
Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com>
2024-08-22 11:17:16 +02:00

42 lines
1.6 KiB
Plaintext
Raw Permalink Blame History

Exception stack traces contain sensitive data that the application's code should
not disclose as error messages.
== Why is this an issue?
Stack traces contain sensitive data like filenames or folder hierarchies.
They can expose implementation details, including the application's
architecture, logic, and potential vulnerabilities. Attackers can leverage these
valuable insights to identify weaknesses, devise attack strategies, and exploit
vulnerabilities.
// How to fix it section
include::how-to-fix-it/asp.net.adoc[]
include::how-to-fix-it/blazor.adoc[]
== Resources
=== Standards
* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* CWE - https://cwe.mitre.org/data/definitions/209[CWE-209 - Generation of Error Message Containing Sensitive Information]
* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code]
* STIG Viewer - https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222610[Application Security and Development: V-222610] - The application must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Source: this invocation returns a stack trace.
Sink: this invocation outputs sensitive content to the HTTP response.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink