[Owasp-topten] Comment on old/new A6 Categories

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Fri Nov 20 14:00:00 EST 2009

I agree as well. 

I am thinking right now in a couple of examples from OWASP Code Review

It would make more sense to me that directory listing. And also would be
a good reference for the "references" section


-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Ryan Barnett
Sent: Jueves, 19 de Noviembre de 2009 09:05 a.m.
To: OWASP-TopTen at lists.owasp.org
Subject: [Owasp-topten] Comment on old/new A6 Categories

I have a comment on this section of pg. 5 of the PDF -

REMOVED: A6 -Information Leakage and Improper Error Handling. This issue
is extremely prevalent, but the impact of disclosing stack trace and
error message information is typically minimal.

Based on my experience in working with our customers, default error
messages (which give detailed stack dump or that dynamically insert DB
error messages into the response page) are an serious issue.  It is true
that these error pages are not a direct vulnerability in and of
themselves, however they help to facilitate and expedite the attacker's
iterative process of SQL Injection payloads so that they can get the DB
correct syntax.  Even worse, these detailed error messages are often
used as the actual transport mechanism to extract out customer records
from back-end DBs.  I have see this happen too many times...

Now, all of this being said - it is my belief that with the inclusion of
the new A6 - Security Misconfiguration - category that this would
actually cover the sub-category of making sure that any detailed error
messages pages that may have been enabled during staging/testing/QA have
been properly reconfigured for production (which is the #1 root cause
that we find).  This seems somewhat similar to the approach that was
taken from 2004 -> 2007 version with collapsing all of the various
injection flaws into 1 category which allowed for some new ones.  

Do you agree with this assessment that the new A6 section would actually
cover InfoLeakage/Error Handling issues?

Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader OWASP ModSecurity
Core Rule Set Project Leader Tactical Web Application Security

Owasp-topten mailing list
Owasp-topten at lists.owasp.org

More information about the Owasp-topten mailing list