Why not show error messages and system specs to users?
-
24-06-2021 - |
Question
Sometimes I'm on one of my sites, and I run into a DB error that just throws itself out there onto a publicly visible page. I hurry myself to sweep it up, repairing the error when it doesn't belong and creating a custom error when it does belong. I've been told countless times not to allow users to view error messages and to try to avoid revealing system specs. I seem to have forgotten the reason why, though. Why is this so crucial?
Solution
The short answer is that the more information an attacker has, the more likely it is that they will be able to compromise the site in some way.
For example, if a DB error has a table name or a column name in it, the attacker now knows what to try in an SQL injection attack.
https://www.owasp.org/index.php/Top_10_2007-Information_Leakage_and_Improper_Error_Handling
Owasp has a good treatment of the subject. The above link is old but still valid. In general I recommend OWASP as a good resource for understanding not only what good security practices are, but also why they are good.
OTHER TIPS
Because the more a baddee knows about the architecture of your system, the easier it is for them to tailor attacks to gain access to it, bring it down, etc.
- Because the users can also be crackers/hackers.
- It scares the users to see a lot of strange text/code => not user friendly.
But the primary reason is because of the hackers that gain knowledge of your system.