Web Application Security: Application Error Handling

    Date05 Sep 2006
    4046
    Posted ByBrittany Day
    When an application error occurs, whether due to user input or an internal function, we as conscientious developers want to present an error message that will help the end user correct the problem. However, it is possible to be too helpful with your error handling approach. By providing overly detailed application error messages to your users, you can actually be opening your site to hackers. Hackers spend the majority of their time performing reconnaissance on a site, slowly gathering multiple pieces of information to determine how a site is vulnerable. Sometimes, it is a seemingly innocuous piece of information in an application error message that provides an attacker with the last piece of the puzzle necessary for him to launch a devastating attack.

    A classic example of providing too much information in an application error message is an authentication failure message on a login screen. At first, it would seem helpful to utilize an error handling method that presents a distinct message indicating that the user ID entered was not found versus indicating that the password was incorrect. And, in fact, it is helpful

    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"67","type":"x","order":"1","pct":57.26,"resources":[]},{"id":"88","title":"Should be more technical","votes":"16","type":"x","order":"2","pct":13.68,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"34","type":"x","order":"3","pct":29.06,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.