ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6776/python/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

38 lines
1.4 KiB
Plaintext
Raw Blame History

Exception stack traces contain sensitive data that the application's code should not disclose as error messages.
== Why is this an issue?
Stack traces contain sensitive data like filenames or folder hierarchies.
They can expose implementation details, including the application's architecture, logic, and potential vulnerabilities.
Attackers can leverage these valuable insights to identify weaknesses, devise attack strategies, and exploit vulnerabilities.
// How to fix it section
include::how-to-fix-it/flask.adoc[]
== Resources
=== Documentation
Python Documentation - https://docs.python.org/3/library/traceback.html[traceback — Print or retrieve a stack traceback]
=== Standards
* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
* OWASP - https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* CWE - https://cwe.mitre.org/data/definitions/209[CWE-209 - Generation of Error Message Containing Sensitive Information]
* CWE - https://cwe.mitre.org/data/definitions/489[CWE-489 - Active Debug Code]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Source: this invocation returns a stack trace.
Sink: this invocation outputs sensitive content to the HTTP response.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink