- Systems often accidentally reveal their workings and vulnerabilities:
- Revealing the server/component type and version in their error response -this allows the attacker to search for known vulnerabilities against that version number.
- Logging full stack traces, or worse showing them in the error response -again, this tells the attacker what libraries the system uses, and if any of those libraries have known vulnerabilities, the attacker can exploit this.
- Just because your client is internal and not ‘user facing’ don’t assume that your error responses won’t filter through to the outside -in a highly distributed system, you never know where your response will end up.
- Same goes for logging; you don’t know who will end up reading your error logs.
- Basic Action Points For A Team:
- Never log full stack traces, unless absolutely necessary.
- Confirm that non of your responses contain information about the server products you use or their versions.