Major Description
Affected API: POST /sessions
Description: Application does not handle exceptions properly. When some junk character is supplied to the parameter, it causes exception and server responds with response code 500 which should not be visible to end user. It was observed that throughout the applications and APIs in scope, JSON parsers, XML parsers and the application server throws exceptions and stack traces in several cases.
Risk:
If an attacker probes the application by forging a request that contains parameters or parameter values other than the ones expected by the application, the application may enter an undefined state that makes it vulnerable to attack. The attacker can gain useful
information from the application's response to this request, which information may be exploited to locate application weaknesses.
Fix:
Check incoming requests for the presence of all expected parameters and values. When a parameter is missing, issue a proper error message or use default values. The application should verify that its input consists of valid characters (after decoding). For example, an input value containing the null byte (encoded as %00), apostrophe, quotes, etc. should be rejected. Enforce values in their expected ranges and types.
Evidence:
In the attachment