The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

1 ... 839 840 841 842 843 844 845 846 ... 875

Bog'liq
3794 1008 4334

Exploiting Error Messages

Many web applications return informative error messages when unexpected

events occur. These may range from simple built-in messages that disclose

only the category of the error, to full-blown debugging information that gives

away a lot of detail about the application’s state.

Exploiting Information

Disclosure

C H A P T E R

70779c14.qxd:WileyRed 9/14/07 3:14 PM Page 505

Most applications are subject to various kinds of usability testing prior to

deployment, and this testing will typically identify most error conditions that

may arise when the application is being used in the normal way. These condi-

tions are therefore normally handled in a graceful manner that does not

involve any technical messages being returned to the user. However, when an

application is under active attack, it is likely that a much wider range of error

conditions will arise, which may result in more detailed information being

returned to the user. Even the most security-critical applications, such as those

used by online banks, have been found to return highly verbose debugging

output when a sufficiently unusual error condition is generated.

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 839 840 841 842 843 844 845 846 ... 875