Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16814 | APP3620 | SV-17814r1_rule | ECCD-1 | Medium |
Description |
---|
Applications should not disclose information not required for the transaction. (e.g., a web application should not divulge the fact there is a SQL server database and/or its version) This provides attackers additional information which they can use to find other attack avenues, or tailor specific attacks, on the application. |
STIG | Date |
---|---|
Application Security and Development Checklist | 2014-12-22 |
Check Text ( C-17813r1_chk ) |
---|
Ask the application representative to demonstrate the application does not disclose any information about the application which could be used by an attacker to gain access to the application. UDDI registries should also not provide any information about the application which could be used by an attacker to gain access to the web service. WSDL should not provide unnecessary information (especially debugging features). Ask the application representative to login as a non-privileged user and review all screens of the application to identify any potential data that should not be disclosed to the user. 1) If the application displays any data that should not be disclosed, this is a finding. |
Fix Text (F-17231r1_fix) |
---|
Remove unnecessary information displayed by the application. |