This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Cornucopia - Ecommerce Website - VE 2"

From OWASP
Jump to: navigation, search
 
Line 1: Line 1:
 
{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#929292;">Cornucopia - Ecommerce Website - VE 2</span>}}
 
{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#929292;">Cornucopia - Ecommerce Website - VE 2</span>}}
[[File:Cornucopia_-_Ecommerce_Website_VE_2.png|right]]
+
[[File:Cornucopia_-_Ecommerce_Website_VE_2.png|frame|right]]
 
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_VE|Data Validation and Encoding]]
 
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_VE|Data Validation and Encoding]]
  

Latest revision as of 14:06, 21 January 2016

Cornucopia - Ecommerce Website VE 2.png

Suit: Data Validation and Encoding

Card/Value: 2

Description:

Brian can gather information about the underlying configurations, schemas, logic, code, software, services and infrastructure due to the content of error messages, or poor configuration, or the presence of default installation files or old, test, backup or copies of resources, or exposure of source code.

Technical Note:

Many ecommerce webservers (and other base software) usually provide error messages with information about the nature of the error by default. This is most useful to the developer, as it helps to identify where the error is happening and why. The default configuration also sometimes provides some admin functions to ease their learning curve. However, if this default behaviour is not changed in non-development environments, users (and attackers) can profit from it to acquire knowledge about the internal workings of the application and supporting systems/components.

Other sources of information disclosure are often generated by the developer. These range from messages for internal use, and are not removed when deployed in production, to simple bad programming practices. Some examples of these are:

  • Exposing sensitive information (such as session identifiers, variables references, login data, etc.) in HTTP headers, URLs, custom error messages, comments, logs, related email messages, etc.
  • Including server-side source code in outputs accessible by users.
  • Including sensitive comments in outputs accessible by users.
  • Allowing user access to configuration files.
  • Leaving default install, unused or old files in web accessible locations.
  • Revealing the application file structure (path to files in error messages or misuse of the robots.txt file).
  • Giving hints about the application workflow and/or security checks as user friendly messages.

See Authentication AT 7 relating to different messages at the user login page to indicate that the username or the password are wrong.

References:

OWASP SCP OWASP ASVS OWASP AppSensor CAPEC SAFECode
69 4.5 HT1 54 4
107 8.1 HT2 224 23
108 8.2 HT3
109
136
137
153
156
158
162


« Previous Card | Data Validation and Encoding | Next Card »