Information Leakage-Error Messages
Information Leakage Through Error Messages The application reveals information about how data validation is being performed, required data formats, or other information an attacker can use to construct malicious payloads to insert into requests.
To Ensure it, Replace all error messages with error codes if possible. If error messages must be displayed in order to enable a user to correct a problem, the messages should only contain the absolute minimum information necessary for the user to identify and correct the problem.
An example from the Microsoft site – We’re sorry, but there is no Web page that matches your entry. It is possible you typed the address incorrectly, or the page may no longer exist.
To achieve this we can add error document for each type of error (e.g. 500 – Internal Server Error, 403 – Forbidden Error and so on).
973 total views, 1 views today