CVE-2021-27774 User input included in error response, which could be used in a phishing attack.

Always check the website’s status using the built-in status codes before accepting the information.

Avoid using the “403 Forbidden” error code because it may be used for sensitive reasons, such as when a user tries to access a private or sensitive page.

Make sure that you are not sending any sensitive information in the error response.

Sensitive information should not be sent in a response body at all.

Use a secure connection for transmitting sensitive data.

Always check the request’s URI closely against what the user has tried to access.

Always validate the user’s credentials before returning data.

Other Security Measures to Take While Handling Exceptions

- Avoid storing sensitive data in a response body.

- Always validate the user’s credentials before returning data.

- Use a secure connection for transmitting sensitive data.

Timeline

Published on: 09/22/2022 21:15:00 UTC
Last modified on: 09/24/2022 02:33:00 UTC

References

• https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0100491
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27774