UCF STIG Viewer Logo

The application must not disclose unnecessary information to users.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222600 APSC-DV-002480 SV-222600r508029_rule Medium
Description
Applications should not disclose information not required for the transaction. (e.g., a web application should not divulge the fact there is a SQL server database and/or its version). These events usually occur when the web application has not been configured to send specific error messages for error events. Instead, when a processing anomaly occurs, the application displays technical information about the type of application server, database in use, or other technical details. This provides attackers additional information which they can use to find other attack avenues, or tailor specific attacks, on the application.
STIG Date
Application Security and Development Security Technical Implementation Guide 2020-09-30

Details

Check Text ( C-24270r493708_chk )
Review the application system documentation and interview the application administrators.

Ask them to demonstrate how the web server and application configuration does not disclose any information about the application which could be used by an attacker to gain access to the application.

Ask the application representative to logon as a non-privileged user and review all screens of the application to identify any potential data that should not be disclosed to the user.

Review web server configuration and determine if custom error pages are configured to display on error events.

Review error pages sent to application users to verify the pages are generic in nature and provide no technical details related to application architecture.

If the application displays any application technical data such as database version, application server information, or any other technical details that should not be disclosed to a regular user, this is a finding.
Fix Text (F-24259r493709_fix)
Configure the application to not display technical details about the application architecture on error events.