[OWASP-ESAPI] Hiding errors / CSRF token

Davy Tielens davy.tielens at gmail.com
Wed Nov 26 04:47:45 EST 2008


I've been experimenting with this project for a couple of weeks and in my
opinion I must say this is a wonderful project. There is a great need for
projects like this because most developers don't know much about security
but with the quality code ESAPI provides even those developers can produce
very secure web-applications.

After implementing ESAPI into a project I sometimes got uncatched exceptions
and stacktraces (developer's fault, not ESAPI) while running my application.
These stacktraces where showed in the client's browser, providing a lot of
information to possible attackers. I was wondering if it is possible to hide
these errors from the user using ESAPI. Maybe by redirecting users to a
default error page which could be declared in the ESAPI.properties file?

An other question I have is concerning the CSRF-token. When using an unique
CSRF-token each request it's not possible anymore to use the browsers
reload, back and forward button. Is it possible to use the unique token and
still be able to use those buttons? I was thinking to save the previous
tokens on a session, but maybe this could be to memory consuming when
visiting many pages? An other option, which I'm currently using is to use a
unique CSRF-token each session, but this reduces the security of the
application because the token could be stolen and misused during a session.
Any opinions/tips?


Davy Tielens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20081126/c4eeba61/attachment.html 

More information about the OWASP-ESAPI mailing list