Security Test: Field Suggestion¶

Description¶

Default Severity:

When an application reveals too much detail in its error messages, it can inadvertently give attackers clues about how its internal database or data structures are organized. This extra detail helps attackers understand which fields exist and how data is arranged, making it easier for them to exploit other weaknesses and gain unauthorized access. A common pitfall is that developers often include detailed error information, believing it aids debugging, but in production systems, it can become a roadmap for attackers. The risk is that once an attacker understands the structure, they can more effectively target vulnerabilities, potentially leading to serious breaches.

Reference:

https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure
- https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html

Configuration¶

Identifier: information_disclosure/rest_field_suggestion

Examples¶

All configuration available:

checks:
  information_disclosure/rest_field_suggestion:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API3:2023
OWASP LLM Top 10	LLM09:2023
GDPR	`Article-5`
SOC2	`CC2`
PSD2	`Article-21`
ISO 27001	`A.14.1`
NIST	`SP800-53`
FedRAMP	`SI-11`
CWE	`200`