Don t Tell the Attacker Anything

Previous page
Table of content
Next page

Don't Tell the Attacker Anything

Cryptic error messages are the bane of normal users and can lead to expensive support calls. However, you need to balance the advice you give to attackers. For example, if the attacker attempts to access a file, you should not return an error message such as Unable to locate stuff.txt at c:\secretstuff\docs doing so reveals a little more information about the environment to the attacker. You should return a simple error message, such as Request Failed, and log the error in the event log so that the administrator can see what's going on. Another factor to consider is that returning user-supplied information can lead to cross-site scripting attacks if a Web browser might be used with your application. If you're writing a server, log detailed error messages where the administrator of the system can read them.


Previous page
Table of content
Next page
Writing Secure Code
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2001
Pages: 286
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
SQL Hacks
Competency-Based Human Resource Management
Sap Bw: a Step By Step Guide for Bw 2.0
Java Concurrency in Practice
Extending and Embedding PHP
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy