Back to overview

Data validation & encoding 2

Many ecommerce webservers (and other base software) usually provide error messages with information about the nature of the error by default. This is most useful to the developer, as it helps to identify where the error is happening and why. The default configuration also sometimes provides some admin functions to ease their learning curve. However, if this default behaviour is not changed in non-development environments, users (and attackers) can profit from it to acquire knowledge about the internal workings of the application and supporting systems/components.

Other sources of information disclosure are often generated by the developer. These range from messages for internal use, and are not removed when deployed in production, to simple bad programming practices. Some examples of these are:

Exposing sensitive information (such as session identifiers, variables references, login data, etc.) in HTTP headers, URLs, custom error messages, comments, logs, related email messages, etc. Including server-side source code in outputs accessible by users. Including sensitive comments in outputs accessible by users. Allowing user access to configuration files. Leaving default install, unused or old files in web accessible locations. Revealing the application file structure (path to files in error messages or misuse of the robots.txt file). Giving hints about the application workflow and/or security checks as user friendly messages. See Authentication AT 7 relating to different messages at the user login page to indicate that the username or the password are wrong.

How to play?

Brian can gather information about the underlying configurations, schemas, logic, code, software, services and infrastructure due to the content of error messages, or poor configuration, or the presence of default installation files or old, test, backup or copies of resources, or exposure of source code


Owasp ASVS (4.0): 1.6.4 ,2.10.4 ,4.3.2 ,7.1.1 ,10.2.3 ,14.1.1 ,14.2.2 ,14.3.3

Capec: 54 ,541

Owasp SCP: 69,107,108,109,136,137,153,156,158,162

Owasp Appsensor: HT1-3

Safecode: 4,23

ASVS (4.0) Cheatsheetseries Index

ASVS V1.6 - Cryptographic Architectural Requirements

ASVS V2.1 - Password Security Requirements

ASVS V4.3 - Other Access Control Considerations

ASVS V7.1 - Log Content Requirements

ASVS V10.2 - Malicious Code Search

ASVS V14.1 - Build

ASVS V14.2 - Dependency

ASVS V14.3 - Unintended Security Disclosure Requirements


SQL Injection

Cross-Site Scripting (XSS)

Directory Traversal Attack

Loading comments 0%

Github logo View source on GitHub

Provided by dotNET lab

This website is created, hosted and provided by dotNET lab. dotNET lab provides training and guidance on secure software development. Contact us to get in touch!

OWASP Cornucopia

OWASP Cornucopia is originally created by Colin Watson. It is open source and can be downloaded free of charge from the OWASP website. It is is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. OWASP does not endorse or recommend commercial products or services. OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.