Skills
skills/developerscoffee/java-cwe-security-skills/cwe-200-information-exposure

cwe-200-information-exposure

SKILL.md

CWE-200 Information Exposure

Description

Information Exposure

Reference: https://cwe.mitre.org/data/definitions/200.html

OWASP Category: A01:2021 – Broken Access Control

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Stack trace exposed
@ExceptionHandler(Exception.class)
public ResponseEntity<?> handleException(Exception e) {
    e.printStackTrace();
    return ResponseEntity.status(500).body(e.getMessage());
}

Why it's vulnerable: This pattern is vulnerable to Information Exposure

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Log details internally, return generic message
@ExceptionHandler(Exception.class)
public ResponseEntity<?> handleException(Exception e) {
    String errorId = UUID.randomUUID().toString();
    log.error("Error ID {}: {}", errorId, e.getMessage(), e);
    return ResponseEntity.status(500)
        .body(Map.of("error", "Internal error", "errorId", errorId));
}

Why it's secure: Implements proper protection against Information Exposure

Detection Pattern

Look for these patterns in your codebase:

# Find exception exposure
grep -rn "printStackTrace\\|getMessage.*body\\|e.toString" --include="*.java"

Remediation Steps

  1. Return generic error messages to users

  2. Log detailed errors internally with correlation IDs

  3. Disable debug mode in production

  4. Review error responses for information leakage

Key Imports


import java.util.UUID;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-200 vulnerability
Resolve Information Exposure issue
Secure this Java code against information exposure
SAST reports CWE-200

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Weekly Installs
1
Repository
developerscoffe…y-skills
First Seen
10 days ago
Security Audits
Gen Agent Trust HubPass
SocketFail
SnykPass
Installed on
mcpjam1
claude-code1
replit1
junie1
windsurf1
zencoder1