exposure or leakage even with the proper encryption and access


controls in place.


Example


There are three main categories of Information Leakage: Comments


left in code, verbose error messages and confidential data in plain


sight.


Comments left in code:


height="59" width="591">
        
           
                
restart VADER   >


                
            
Here we see a comment left by the development/QA personnel


indicating what one should do if the image files do not show up. The


security breach is the Host name of the server that is mentioned


explicitly in the code, "VADER"..


An example of a verbose error message can be the response to an


invalid query. A prominent example is the error message associated


with SQL queries. SQL Injection attacks typically require the attacker


to have prior knowledge of the structure or format used to create SQL


queries on the site. The information leaked by a verbose error


message can provide the attacker the crucial information on how to


construct valid SQL queries for the backend database.


49


Copyright 2004, Web Application Security Consortium. All rights reserved.






Unlimited Web Hosting













height="17" width="587"> 





  

    
  

  

    
 
  

  

    
  

  

    
TotalRoute.net Business web hosting division of Vision Web Hosting Inc. All rights reserved.