The CWE database does a good job of enumerating and outlining various weaknesses in applications. For this specific case, see CWE-209.
http://cwe.mitre.org/data/definitions/209.html The pen-testing tools that are out there wrap around these commonly agreed upon weaknesses to generate a report of issues or potential issues. Manual pen-testing takes the same approach. Axton Grams On Mon, Oct 8, 2012 at 8:46 AM, Longwing, LJ CTR MDA/IC < lj.longwing....@mda.mil> wrote: > John, > I would personally be more concerned about someone having a 'clone' of my > system and gaining more information than them being able to glean much from > error messages. Yes, I understand that an error message from the > underlying vendor db (SQL Server) for example tells them what DB you are > running on....but I've never been exceedingly concerned about that...I > guess I've never been in a position where the system I support is so > critical that someone is going to attack it and any little piece of > information provides another nugget of capability to exploit. > > Being in DOD contracting I understand the concerns for security and such, > I'm just not sure what they would be do with something like the error they > described. > > -----Original Message----- > From: Action Request System discussion list(ARSList) [mailto: > arslist@ARSLIST.ORG] On Behalf Of John Baker > Sent: Monday, October 08, 2012 7:36 AM > To: arslist@ARSLIST.ORG > Subject: Results of a application pen-test - need to close holes > > LJ, > > 2. Improper error handling > > The concern would be that the SQL message may reveal information that > allows a third party to establish the type of database, IP address, etc. > They would then be in a position to mount an attack with information known > about that database, ie current security concerns etc. > > 5. Forced browsing > > You correctly identify a good SSO deployment (ie the JSS SSO Plugin :-) as > a solution to forced browsing, ie ensuring the user has authenticated > before being able to access a resource. > > > > > John > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 > www.wwrug12.com ARSList: "Where the Answers Are" > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are" > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"