-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathExposureInTransmittedData.qhelp
More file actions
38 lines (34 loc) · 1.18 KB
/
ExposureInTransmittedData.qhelp
File metadata and controls
38 lines (34 loc) · 1.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Transmitting sensitive data to the user is a potential security risk. Always ensure that
transmitted data is intended for the user. For example, passwords and the contents of
database exceptions are generally not appropriate to send to the user, as they reveal
information that could be abused or exploited.
</p>
</overview>
<recommendation>
<p>
Avoid transmitting passwords or exceptions to the user. Instead, create a more user-friendly
message that does not contain potentially sensitive information. Technical errors should be
written to a log file.
</p>
</recommendation>
<example>
<p>
The following example shows the user password being sent back to the user.
</p>
<sample src="TransmittedPassword.cs" />
<p>
The following example shows a database exception being sent to the user. Exceptions
can often contain unnecessary technical or sensitive information that should not be seen by the user.
</p>
<sample src="TransmittedException.cs" />
</example>
<references>
<li>OWASP: <a href="https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure">Sensitive Data Exposure</a>.</li>
</references>
</qhelp>