[Owasp-topten] Comment on old/new A6 Categories

Colin Watson colin.watson at owasp.org
Thu Nov 19 11:02:23 EST 2009


I would support mention of error handling in A6.  Perhaps it would be
a better example than directory listing in Scenario #3.  Then also add
a reference to:

OWASP Detailed error messages
http://www.owasp.org/index.php/Error_Handling,_Auditing_and_Logging#Detailed_error_messages

Colin Watson

2009/11/19 Ryan Barnett <rcbarnett at gmail.com>:
> I have a comment on this section of pg. 5 of the PDF -
>
> REMOVED: A6 –Information Leakage and Improper Error Handling. This issue is
> extremely prevalent, but the impact of disclosing stack trace and error
> message information is typically minimal.
>
> Based on my experience in working with our customers, default error messages
> (which give detailed stack dump or that dynamically insert DB error messages
> into the response page) are an serious issue.  It is true that these error
> pages are not a direct vulnerability in and of themselves, however they help
> to facilitate and expedite the attacker's iterative process of SQL Injection
> payloads so that they can get the DB correct syntax.  Even worse, these
> detailed error messages are often used as the actual transport mechanism to
> extract out customer records from back-end DBs.  I have see this happen too
> many times...
>
> Now, all of this being said - it is my belief that with the inclusion of the
> new A6 - Security Misconfiguration - category that this would actually cover
> the sub-category of making sure that any detailed error messages pages that
> may have been enabled during staging/testing/QA have been properly reconfigured
> for production (which is the #1 root cause that we find).  This seems somewhat
> similar to the approach that was taken from 2004 -> 2007 version with
> collapsing all of the various injection flaws into 1 category which allowed for
> some new ones.
>
> Do you agree with this assessment that the new A6 section would actually cover
> InfoLeakage/Error Handling issues?
>
> Ryan C. Barnett
> WASC Distributed Open Proxy Honeypot Project Leader
> OWASP ModSecurity Core Rule Set Project Leader
> Tactical Web Application Security
> http://tacticalwebappsec.blogspot.com
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>


More information about the Owasp-topten mailing list