Angels of security

Posts Tagged ‘SQL’

error handling

Tuesday, May 19th, 2009

Error handling is one of the most often overlooked areas of application security. If you have a public-facing application, you don’t want the public to know too much about how the application works, even if you’re convinced they should never see errors. Case in point is demonstrated in the image presented here. I was just surfing the web, reading about one of my other innocuous hobbies (in this case baseball) when I came across the following page. As a user, I shouldn’t be able to see any of that. As an attacker, I just found a goldmine if information which I can use to try and exploit the site.

Tags: error handling, SQL, web applications
Posted in application security | Comments Off

About this blog

This is not your normal information security blog. This blog is where I vent and struggle against the standards of infosec orthodoxy (wow - I can't even believe there is such a thing). If you're looking for a place to just get the standard security professional line on everything then this is not the place for you. This is a place to read the opinions (and I have many) of someone who often disagrees with standard conventions and isn't afraid to say so.