What does this mean?
Information leakage happens when a web application reveals information that should be protected. This can consist of data over the application's internal workings, configuration, or users, which can lead to privacy issues. If a hacker finds information about how a web application works, it is much easier for them to attack it.
Improper error handling occurs when unnecessary information is revealed to a user during an error. Error handling refers to a web application's programmed response to an error (i.e. incorrect username or password, no results in a search, file not found, etc.). Error pages often contain debugging information so that the programmer can better understand the problem, but this also means that a hacker could gain a better understanding of the application.
Who is vulnerable?
Any web application is potentially vulnerable.
How can it be prevented?
The first step to protecting a web application against this threat is through proper error handling practices. Errors should never reveal stack traces, SQL statements, or any configuration information. It is also bad practice to have different errors display for a single function. For example, an error page displays when a username that is not in the database is entered, but a different error page displays when an incorrect password is entered. Next, a standard error handling architecture should be implemented. Tools are available to test against this type of threat, including OWASP's WebScarab. More tips on securing against this threat are availalbe on OWASP's web site.
Resources
- OWASP's Top 10 - Information Leakage and Improper Error Handling
No comments:
Post a Comment