The published workaround does not appear to change the HTTP Status Code that is returned to the client. It just appears to ensure that the same response content is sent for every error.
So is the returned HTTP status code completely irrelevant to the attack? That is, is the error code the same for all the requests used in the attack (presumably 500), and the attacker needs to distinguish the errors based on the response content?
Can I leave my nice 404 error page alone, or does it need to be the same as the 500 error page?
Can I leave my nice 404 error page alone, or does it need to be the same as the 500 error page?
No, Don't differentiate between 404s and 500s to clients. From
ScottGu's comment..
One of the ways this attack works is that looks for
differentiation between 404s and 500 errors. Always returning the same HTTP code and sending them to the same place is one way to help block it.
Adam Wade Sm...
0 Points
1 Post
My app returns different custom error pages for 500 and 404 - is it vulnerable?
Sep 20, 2010 04:12 PM|LINK
The published workaround does not appear to change the HTTP Status Code that is returned to the client. It just appears to ensure that the same response content is sent for every error.
So is the returned HTTP status code completely irrelevant to the attack? That is, is the error code the same for all the requests used in the attack (presumably 500), and the attacker needs to distinguish the errors based on the response content?
Can I leave my nice 404 error page alone, or does it need to be the same as the 500 error page?
Thanks,
Adam Smith
budugu
All-Star
41188 Points
6034 Posts
Re: My app returns different custom error pages for 500 and 404 - is it vulnerable?
Sep 20, 2010 04:27 PM|LINK
No, Don't differentiate between 404s and 500s to clients. From ScottGu's comment..
One of the ways this attack works is that looks for differentiation between 404s and 500 errors. Always returning the same HTTP code and sending them to the same place is one way to help block it.
"Don't be afraid to be wrong; otherwise you'll never be right."