csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.

Run Locally

Run in CI

Defintion

rules:
  - id: stacktrace-disclosure
    patterns:
      - pattern: $APP.UseDeveloperExceptionPage(...);
      - pattern-not-inside: |
          if ($ENV.IsDevelopment(...)) {
            ... 
            $APP.UseDeveloperExceptionPage(...); 
            ...
          }
    message: Stacktrace information is displayed in a non-Development environment.
      Accidentally disclosing sensitive stack trace information in a production
      environment aids an attacker in reconnaissance and information gathering.
    metadata:
      category: security
      technology:
        - csharp
      owasp:
        - A06:2017 - Security Misconfiguration
        - A04:2021 - Insecure Design
      cwe:
        - "CWE-209: Generation of Error Message Containing Sensitive Information"
      references:
        - https://cwe.mitre.org/data/definitions/209.html
        - https://owasp.org/Top10/A04_2021-Insecure_Design/
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - csharp
    severity: WARNING

Examples

stacktrace-disclosure.cs

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
        if (!env.IsDevelopment())
        {
            // ruleid: stacktrace-disclosure
            app.UseDeveloperExceptionPage();
        }
    else
        {
            app.UseExceptionHandler("/Error");
        }

}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
        if (env.IsDevelopment())
        {
            // ok: stacktrace-disclosure
            app.UseDeveloperExceptionPage();
        }
    else
        {
            app.UseExceptionHandler("/Error");
        }
}