From 3d456d528ff0f52bbf85652546d1cdd65b320c34 Mon Sep 17 00:00:00 2001 From: Brandon Date: Thu, 19 Dec 2024 08:54:44 -0800 Subject: [PATCH] Update Authorization_Cheat_Sheet.md --- cheatsheets/Authorization_Cheat_Sheet.md | 1 + 1 file changed, 1 insertion(+) diff --git a/cheatsheets/Authorization_Cheat_Sheet.md b/cheatsheets/Authorization_Cheat_Sheet.md index b6ecf69cda..a067c8652f 100644 --- a/cheatsheets/Authorization_Cheat_Sheet.md +++ b/cheatsheets/Authorization_Cheat_Sheet.md @@ -117,6 +117,7 @@ Failed access control checks are a normal occurrence in a secured application; c - Ensure all exception and failed access control checks are handled no matter how unlikely they seem ([OWASP Top Ten Proactive Controls C10: Handle all errors and exceptions](https://owasp.org/www-project-proactive-controls/v3/en/c10-errors-exceptions.html)). This does not mean that an application should always try to "correct" for a failed check; oftentimes a simple message or HTTP status code is all that is required. - Centralize the logic for handling failed access control checks. - Verify the handling of exception and authorization failures. Ensure that such failures, no matter how unlikely, do not put the software into an unstable state that could lead to authorization bypass. +- Ensure sensitive information, such as system logs or debugging output, is not exposed in error messages. Misconfigured error messages can increase the attack surface of your application. ([CWE-209: Generation of Error Message Containing Sensitive Information](https://cwe.mitre.org/data/definitions/209.html)) ### Implement Appropriate Logging