[Owasp-topten] Comment on old/new A6 Categories

Ralph Durkee rd at rd1.net
Thu Nov 19 11:04:39 EST 2009


I totally agree that proper configuration of error handling would be 
included in the new A6,  and it would helpful to update the the text on 
removal of  info leakage to reflect  that at least the configuration of 
error handling is included in the new A6, as it makes a stronger 
statement about why it's no longer needed.

-- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GPEN
Principal Security Consultant
http://rd1.net



Ryan Barnett wrote:
> I have a comment on this section of pg. 5 of the PDF -
>
> REMOVED: A6 –Information Leakage and Improper Error Handling. This issue is 
> extremely prevalent, but the impact of disclosing stack trace and error 
> message information is typically minimal.
>
> Based on my experience in working with our customers, default error messages 
> (which give detailed stack dump or that dynamically insert DB error messages 
> into the response page) are an serious issue.  It is true that these error 
> pages are not a direct vulnerability in and of themselves, however they help 
> to facilitate and expedite the attacker's iterative process of SQL Injection 
> payloads so that they can get the DB correct syntax.  Even worse, these 
> detailed error messages are often used as the actual transport mechanism to 
> extract out customer records from back-end DBs.  I have see this happen too 
> many times...
>
> Now, all of this being said - it is my belief that with the inclusion of the 
> new A6 - Security Misconfiguration - category that this would actually cover 
> the sub-category of making sure that any detailed error messages pages that 
> may have been enabled during staging/testing/QA have been properly reconfigured 
> for production (which is the #1 root cause that we find).  This seems somewhat 
> similar to the approach that was taken from 2004 -> 2007 version with 
> collapsing all of the various injection flaws into 1 category which allowed for 
> some new ones.  
>
> Do you agree with this assessment that the new A6 section would actually cover 
> InfoLeakage/Error Handling issues?
>
> Ryan C. Barnett
> WASC Distributed Open Proxy Honeypot Project Leader
> OWASP ModSecurity Core Rule Set Project Leader
> Tactical Web Application Security
> http://tacticalwebappsec.blogspot.com
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>   


More information about the Owasp-topten mailing list