Controls

Terug naar overzicht
Version

SB.16.003 Unintended Information Disclosure

Low
Low
Low
System Hardening
System Owner
v2.0 (Q1 2024)

Description

Applications and services are configured to not display information that is unnecessary.

Functionality is designed and configured to prevent enumeration of information.

Specification

Information that should not be enumerable are: user names, email-addresses, files, versioning information, server configuration and structure, endpoints and so forth.

Error messages and headers should be compact and not contain any technical information about the environment (such as stack traces, debugging output, etc).

Comments in code should not be accessible by end users.

Make sure files are not directly accessible if they are not supposed to - either by hand or through tools such as URL fuzzers (https://github.com/xmendez/wfuzz).