csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure
semgrepAuthor
unknown
Download Count*
License
Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.
Run Locally
Run in CI
Defintion
rules:
- id: stacktrace-disclosure
patterns:
- pattern: $APP.UseDeveloperExceptionPage(...);
- pattern-not-inside: |
if ($ENV.IsDevelopment(...)) {
...
$APP.UseDeveloperExceptionPage(...);
...
}
message: Stacktrace information is displayed in a non-Development environment.
Accidentally disclosing sensitive stack trace information in a production
environment aids an attacker in reconnaissance and information gathering.
metadata:
category: security
technology:
- csharp
owasp:
- A06:2017 - Security Misconfiguration
- A04:2021 - Insecure Design
cwe:
- "CWE-209: Generation of Error Message Containing Sensitive Information"
references:
- https://cwe.mitre.org/data/definitions/209.html
- https://owasp.org/Top10/A04_2021-Insecure_Design/
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- csharp
severity: WARNING
Examples
stacktrace-disclosure.cs
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (!env.IsDevelopment())
{
// ruleid: stacktrace-disclosure
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
}
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
// ok: stacktrace-disclosure
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
}
}
Short Link: https://sg.run/XvkA