locked
My app returns different custom error pages for 500 and 404 - is it vulnerable? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-969037082 posted

    The published workaround does not appear to change the HTTP Status Code that is returned to the client. It just appears to ensure that the same response content is sent for every error.

    So is the returned HTTP status code completely irrelevant to the attack? That is, is the error code the same for all the requests used in the attack (presumably 500), and the attacker needs to distinguish the errors based on the response content?

    Can I leave my nice 404 error page alone, or does it need to be the same as the 500 error page?

     

    Thanks,

    Adam Smith

     

    Monday, September 20, 2010 12:12 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    User533502567 posted

    Can I leave my nice 404 error page alone, or does it need to be the same as the 500 error page?
     

    No, Don't differentiate between 404s and 500s to clients. From ScottGu's comment..

    One of the ways this attack works is that looks for differentiation between 404s and 500 errors.  Always returning the same HTTP code and sending them to the same place is one way to help block it.

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, September 20, 2010 12:27 PM