Application Error Handling: How to Avoid Death by a Thousand Cuts

by Bryan Sullivan and Billy Hoffman
Oct. 2, 2017 1 comment Infosecwriters Apps & Hardening

When an application error occurs, whether due to user input or an internal function, we as conscientious developers want to present an error message that will help the end user correct the problem. However, it is possible to be too helpful with your error handling approach. By providing overly detailed application error messages to your users, you can actually be opening your site to hackers. Hackers spend the majority of their time performing reconnaissance on a site, slowly gathering multiple pieces of information to determine how a site is vulnerable. Sometimes, it is a seemingly innocuous piece of information in an application error message that provides an attacker with the last piece of the puzzle necessary for him to launch a devastating attack.

http://www.infosecwriters.com/Papers/BSullivan_Error_Handling.pdf

Avatar
Irina Alexandra Negrii 7 months ago

If you can hit something with your weapon, you can damage it, however slightly. And if you can damage it, you can defeat it just by hitting it enough times..this is how it works

Reply