UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure the application does not disclose unnecessary information to users.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16814 APP3620 SV-17814r1_rule ECCD-1 Medium
Description
Applications should not disclose information not required for the transaction. (e.g., a web application should not divulge the fact there is a SQL server database and/or its version) This provides attackers additional information which they can use to find other attack avenues, or tailor specific attacks, on the application.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-17813r1_chk )
Ask the application representative to demonstrate the application does not disclose any information about the application which could be used by an attacker to gain access to the application. UDDI registries should also not provide any information about the application which could be used by an attacker to gain access to the web service. WSDL should not provide unnecessary information (especially debugging features).

Ask the application representative to login as a non-privileged user and review all screens of the application to identify any potential data that should not be disclosed to the user.

1) If the application displays any data that should not be disclosed, this is a finding.
Fix Text (F-17231r1_fix)
Remove unnecessary information displayed by the application.