Review code for information disclosure vulnerabilities
Review code for information disclosure vulnerabilities
Microsoft docsDescription
Disclosing exception information gives attackers insight into the internals of your application, which can help attackers find other vulnerabilities to exploit.
This rule attempts to find an exception message, stack trace, or string representation being output to an HTTP response. This rule can't track data across assemblies. For example, if one assembly catches an exception and then passes it to another assembly that outputs the exception, this rule won't produce a warning. There is a configurable limit to how deep this rule will analyze data flow across method calls. For information about how to configure the limit in an EditorConfig file, see Analyzer Configuration.
Cause
An exception's message, stack trace, or string representation reaches web output.
By default, this rule analyzes the entire codebase, but this is configurable.
How to fix violations
Don't output exception information to HTTP responses. Instead, provide a generic error message. For more information, see OWASP's Improper Error Handling page.
Example
using System;
public partial class WebForm : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs eventArgs)
{
try
{
object o = null;
o.ToString();
}
catch (Exception e)
{
this.Response.Write(e.ToString());
}
}
}
using System;
public partial class WebForm : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs eventArgs)
{
try
{
object o = null;
o.ToString();
}
catch (Exception e)
{
this.Response.Write("An error occurred. Please try again later.");
}
}
}When to suppress
If you know your web output is within your application's trust boundary and never exposed outside, it's okay to suppress this warning. This is rare. Take into consideration that your application's trust boundary and data flows may change over time.