Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/user/application_security/dast/checks/209.2.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/application_security/dast/checks/209.2.md')
-rw-r--r--doc/user/application_security/dast/checks/209.2.md43
1 files changed, 43 insertions, 0 deletions
diff --git a/doc/user/application_security/dast/checks/209.2.md b/doc/user/application_security/dast/checks/209.2.md
new file mode 100644
index 00000000000..2060bb1802b
--- /dev/null
+++ b/doc/user/application_security/dast/checks/209.2.md
@@ -0,0 +1,43 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Generation of database error message containing sensitive information
+
+## Description
+
+The application was found to return database error messages. Determining the type of database may assist attackers in exploiting
+SQL Injection attacks against the system. While debug messages are helpful during development and debugging, they should not be
+presented to users when an error occurs.
+
+## Remediation
+
+Applications should handle database error conditions internally and map known failure types to error codes that can be displayed
+to a user. These error codes should be customized to the application and returned along with the relevant HTTP error code.
+
+When an error occurs, the application identifies the error type or class, and displays a numerical value to the
+user. Requests should also be tracked so when a user is presented with an error code, it has a corresponding request ID.
+Support teams can then correlate the HTTP error, the customized error code, and the request ID in the log files to
+determine the root cause of the error without leaking details to the end user.
+
+Example of returning customized errors:
+
+```plaintext
+HTTP/1.1 500 Internal Server Error
+...
+Error [0004] Occurred, please contact support or re-try your request again shortly.
+Request ID [a4bc91def12]
+...
+```
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 209.2 | false | 209 | Passive | Low |
+
+## Links
+
+- [CWE](https://cwe.mitre.org/data/definitions/209.html)
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-19 05:33:10 +0300