Keeping user feedback and errors messages vague denies an attacker feedback that might help them in future attempts.
- Hackers use the results of their actions … to improve their chances of success. … Imagine that a hacker visits a standard login page … on a website, and they try a user name and password. … If the response is user name not found, … then the hacker knows to try a different user name. … If after a few tries the response changes … to password not found, … they'll know they've made some progress. … And they've found a valid user name. … A more secure approach is to return an identical … login failed message in both cases. … Don't tell a hacker when their actions … are getting warmer or colder. … They can just use that information to adjust their attacks. … Give as little information back as necessary. … This applies to all user messages … but especially to error messages. … These may be errors that you're expecting … and handling like failed logins. … Or they may be unexpected errors … caused by bugs in your code. … When developing a website, … it's helpful to have error reporting enabled …
- Threat models
- Least privilege
- Defense in depth
- Validating and sanitizing input
- Credential attacks
- SQL injection
- Cross-site scripting
Skill Level Beginner
Web Programming Foundationswith Morten Rand-Hendriksen58m 44s Beginner
Web Security: Same-Origin Policieswith Sasha Vodnik1h 54m Advanced
1. Security Overview
2. General Security Principles
3. Filter Input, Control Output
4. The Most Common Attacks
Next steps2m 26s
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.