Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks: Difference between revisions
Programsam (talk | contribs) |
Programsam (talk | contribs) |
||
| Line 32: | Line 32: | ||
... | ... | ||
<center>Figure 1. Patient Deletion Code in Java; hotspot is bolded </center> | <center>'''Figure 1. Patient Deletion Code in Java; hotspot is bolded'''</center> | ||
'''Error message information leak vulnerabilities'''. These vulnerabilities occur when an application does not correctly handle exceptional conditions and subsequently leaks sensitive information to a user<sup>[4, 5]</sup>. This information can be obviously dangerous in the case of error messages that contain system or application passwords, or it may seem more benign, containing only version numbers or stack traces. Unfortunately, even these seemingly benign error information leaks can provide valuable information to an attacker and could expose additional attack vectors. Since a tester cannot tell what information an attacker needs to conduct future attacks, a good policy is to treat all error information leakage vulnerabilities as if they contain obviously dangerous information such as passwords. | '''Error message information leak vulnerabilities'''. These vulnerabilities occur when an application does not correctly handle exceptional conditions and subsequently leaks sensitive information to a user<sup>[4, 5]</sup>. This information can be obviously dangerous in the case of error messages that contain system or application passwords, or it may seem more benign, containing only version numbers or stack traces. Unfortunately, even these seemingly benign error information leaks can provide valuable information to an attacker and could expose additional attack vectors. Since a tester cannot tell what information an attacker needs to conduct future attacks, a good policy is to treat all error information leakage vulnerabilities as if they contain obviously dangerous information such as passwords. | ||