This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Cornucopia - Ecommerce Website - VE 2
Category: Data Validation and Encoding
Value: 2
Description:
Brian can gather information about the underlying configurations, schemas, logic, code, software, services and infrastructure due to the content of error messages, or poor configuration, or the presence of default installation files or old, test, backup or copies of resources, or exposure of source code.
Technical note:
Many webservers (and other base software) usually provide error messages with information about the nature of the error by default. This is most useful to the developer, as it helps to identify where the error is happening and why. They also provide some admin functions by default to ease their learning curve start. However, if this default behaviour is not changed, users (and attackers) can profit from it to adquire knowledge about the internal workings of the application.
Other sources of information disclosure are often generated by the developer. This goes from messages for internal use (that are not removed when sent to production) to simple bad programming practices. Some examples of these are:
- Exposing sensitive information (such as session identifiers, variables references, login data, etc.) in URLs, custom error messages, comments or logs.
- Revealing the application OS structure (path to files in error messages or misuse of the robots.txt file).
- Giving hints about the application workflow and/or security checks as user friendly messages (e.g. using different messages at the user login page to indicate that the username or the password are wrong).
References:
OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECode |
---|---|---|---|---|
69 | 4.5 | HT1 | 54 | 4 |
107 | 8.1 | HT2 | 224 | 23 |
108 | 8.2 | HT3 | ||
109 | ||||
136 | ||||
137 | ||||
153 | ||||
156 | ||||
158 | ||||
162 |