[Owasp-topten] Comment on old/new A6 Categories

Ryan Barnett rcbarnett at gmail.com
Thu Nov 19 10:04:49 EST 2009


I have a comment on this section of pg. 5 of the PDF -

REMOVED: A6 –Information Leakage and Improper Error Handling. This issue is 
extremely prevalent, but the impact of disclosing stack trace and error 
message information is typically minimal.

Based on my experience in working with our customers, default error messages 
(which give detailed stack dump or that dynamically insert DB error messages 
into the response page) are an serious issue.  It is true that these error 
pages are not a direct vulnerability in and of themselves, however they help 
to facilitate and expedite the attacker's iterative process of SQL Injection 
payloads so that they can get the DB correct syntax.  Even worse, these 
detailed error messages are often used as the actual transport mechanism to 
extract out customer records from back-end DBs.  I have see this happen too 
many times...

Now, all of this being said - it is my belief that with the inclusion of the 
new A6 - Security Misconfiguration - category that this would actually cover 
the sub-category of making sure that any detailed error messages pages that 
may have been enabled during staging/testing/QA have been properly reconfigured 
for production (which is the #1 root cause that we find).  This seems somewhat 
similar to the approach that was taken from 2004 -> 2007 version with 
collapsing all of the various injection flaws into 1 category which allowed for 
some new ones.  

Do you agree with this assessment that the new A6 section would actually cover 
InfoLeakage/Error Handling issues?

Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com



More information about the Owasp-topten mailing list