Skip to content

The application must not disclose unnecessary information to users.

An XCCDF Rule

Description

<VulnDiscussion>Applications should not disclose information not required for the transaction. (e.g., a web application should not divulge the fact there is a SQL server database and/or its version). These events usually occur when the web application has not been configured to send specific error messages for error events. Instead, when a processing anomaly occurs, the application displays technical information about the type of application server, database in use, or other technical details. This provides attackers additional information which they can use to find other attack avenues, or tailor specific attacks, on the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-222600r961638_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

Configure the application to not display technical details about the application architecture on error events.