Defensive Java Programming Notes (08 of 11) Information Disclosure

  • strict warning: Non-static method view::load() should not be called statically in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/views.module on line 906.
  • strict warning: Declaration of views_handler_argument::init() should be compatible with views_handler::init(&$view, $options) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 744.
  • strict warning: Declaration of views_handler_filter::options_validate() should be compatible with views_handler::options_validate($form, &$form_state) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 607.
  • strict warning: Declaration of views_handler_filter::options_submit() should be compatible with views_handler::options_submit($form, &$form_state) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 607.
  • strict warning: Declaration of views_handler_filter_boolean_operator::value_validate() should be compatible with views_handler_filter::value_validate($form, &$form_state) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 159.
Leeland's picture

There is never any reason to dump detailed data out to the users. Log it, maybe tack on an error ID to it and then send a message to the user that there was an error.

Web applications should never dump data like stack traces, ODBC error messages, authentication error messages, or anything else that exposes a detail about the implementation of the site.

Sometimes error message or unexpected outputs give an attacker a significant advantage in attacking a system. Examples of useful information that will aid an attacker are:

  • Application / platform information (e.g. operating system, web services application , version numbers)

  • Implementation details (e.g. language being used, underlaying libraries, database schema, stack traces showing where things went wrong and the path taken)

  • Relate data quality information (eg. valid user name vs. invalid password)

Remember, the disclosures need not be all in one message. In the Navy they use the saying "loose lips sink ships" meaning intelligence may be gathered on isolated sample at a time later combined into a larger tapestry.

Thread Slivers eBook at Amazon