Discount Web Hosting Application Security Consortium Discount Hosting

5.2  Information Leakage

Information Leakage is when a web site reveals sensitive data, such

as developer comments or error messages, which may aid an

attacker in exploiting the system. Sensitive information may be

present within HTML comments, error messages, source code, or

simply left in plain sight. There are many ways a web site can be

coaxed into revealing this type of information. While leakage does not

necessarily represent a breach in security, it does give an attacker

useful guidance for future exploitation. Leakage of sensitive

information may carry various levels of risk and should be limited

whenever possible.

In the first case of information leakage (comments left in the code,

verbose error messages, etc.), the leak may give intelligence to the

attacker with contextual information of directory structure, SQL query

structure, and the names of key processes used by the web site.

Often a developer will leave comments in the

HTML and script code to help facilitate in debugging or integration.

This information can range from simple comments detailing how the

script works, to, in the worst cases, usernames and passwords used

during the testing phase of development.

Information Leakage also applies to data deemed confidential, which

aren t properly protected by the web site. These data may include

account numbers, user identifiers (Drivers license number, Passport

number, Social Security Numbers, etc.) and user specific data

(account balances, address, and transaction history).

Insufficient Authentication, Insufficient Authorization, and secure

transport encryption also deal with protecting and enforcing proper

controls over access to data. Many attacks fall outside the scope of

web site protection such as client attacks, the  casual observer

concerns. Information Leakage in this context deals with exposure of

key user data deemed confidential or secret that should not be

exposed in plain view even to the user. Credit card numbers are a

prime example of user data that needs to be further protected from

Copyright 2004, Web Application Security Consortium. All rights reserved.





Unlimited Web Hosting





  
    
      
        Home :: RegularHostingPlan :: 
          DatabaseHostingPlan :: 
          JavaHostingPlan :: 
          CompareOurPlans :: AboutUs - 
          Our Network :: 
          Testimonials 
          WhyChooseTotalRoute.net :: 
          MoneyBackQuarantee :: 
          SupportOnline :: FAQ :: 
          ControlPanel :: 
          24/7TechSupport :: 
          ContactUs :: 
          Order 
          TransferYourSite :: 
          Sitemap :: 
            TermsOfService
      Discount Web Hosting 
    
  
  
    
 
  
  
    Our partners:Jsp Web   Hosting 
      Unlimited Web Hosting 
      Cheapest Web   Hosting  Java Web Hosting 
      Web   Templates 
      Best Web Templates 
      Web Design   Templates 
      Interland Web Hosting 
      Cheap Web Hosting  
      Java Web Hosting   
      Tomcat Web Hosting 
      Quality Web   Hosting 
    Best Web Hosting  Mac Web   Hosting
  
  
    TotalRoute.net Business web hosting division of Vision Web Hosting Inc. All rights reserved.