在JSON响应中显示错误消息的用户输入是不好的做法吗?

时间:2020-12-20 19:00:06

I've been of the opinion that error messages should display as little information as possible to prevent any hints an attacker could use to gain access to sensitive information.

我一直认为错误消息应尽可能少地显示,以防止攻击者可以使用任何提示来获取对敏感信息的访问权限。

Here's an example. This endpoint accepts the optional request parameter group which could be the ID or name of the group.

这是一个例子。此端点接受可选的请求参数组,该组可以是组的ID或名称。

POST /sign-in/?group=[group_id_or_name].

POST / sign-in /?group = [group_id_or_name]。

Also accepted is HTTP basic auth for username and password.

还接受用户名和密码的HTTP基本身份验证。

Before the username and password validation check, the code checks if the group is valid and exists or not.

在用户名和密码验证检查之前,代码会检查该组是否有效且是否存在。

If the group is invalid, REST API returns a bad request with the error message:

如果该组无效,RE​​ST API将返回错误请求,并显示错误消息:

The requested group is invalid.

请求的组无效。

But an alternative is to display this error message:

但另一种方法是显示此错误消息:

The requested group [prints requested_group_parameter value here] is invalid.

请求的组[在此处打印requested_group_parameter值]无效。

Yes, the requested group is already available in the request parameter, but is there any possibility the user could inject bad input into the request and have it show malicious information?

是的,请求的组已经在请求参数中可用,但用户是否有可能将错误的输入注入请求并让它显示恶意信息?

Are there any questionable practices here or is this all trivial?

这里有任何可疑的做法或者这都是微不足道的吗?

1 个解决方案

#1


0  

You should be careful when returning, as there might have been an SQL injection attack (or buffer overflow, or XSS, or some other attack that I may be forgetting - depending on your scenario). These should be taken care of anyway, but if you return the result of a query, it might be easier for an attacker to perform such attacks (again, depending on your code and scenario).

返回时应该小心,因为可能存在SQL注入攻击(或缓冲区溢出,或XSS,或者我可能忘记的其他攻击 - 取决于您的场景)。无论如何都应该注意这些,但如果您返回查询结果,攻击者可能更容易执行此类攻击(同样,取决于您的代码和方案)。

Besides that, since the group is originating from the client, therefore a user can see it by inspecting the code of the page, or by using some browser add-on, I don't see any problems. Assuming that there are no attacks like the ones described above, the user will only be able to see what he/she typed as a group name. So sending either of the two messages is fine.

除此之外,由于该组来自客户端,因此用户可以通过检查页面代码或使用某些浏览器插件来查看它,我没有看到任何问题。假设没有像上述那样的攻击,用户将只能看到他/她键入的组名。所以发送两个消息中的任何一个都没问题。

Now, if the names of the groups are sensitive information and you don't want them to leak, in order to prevent a brute force attack, you should not send any message back at the point of checking the group name. You should instead continue the whole procedure as if the group name was correct, ask for username and password, check if these are correct (in order to avoid timing attacks) and only then return that the group, username, or password are wrong or don't exist. However, if by having credentials you can login to any group, this method still fails, as someone who has credentials and gets an error message can easily understand that the incorrect information is the group name.

现在,如果组的名称是敏感信息而您不希望它们泄漏,为了防止暴力攻击,您不应在检查组名时发回任何消息。您应该继续整个过程,就像组名正确一样,询问用户名和密码,检查这些是否正确(为了避免计时攻击),然后返回组,用户名或密码错误或者不要不存在。但是,如果通过拥有凭据可以登录到任何组,此方法仍然会失败,因为拥有凭据并收到错误消息的人可以很容易地理解不正确的信息是组名。

#1


0  

You should be careful when returning, as there might have been an SQL injection attack (or buffer overflow, or XSS, or some other attack that I may be forgetting - depending on your scenario). These should be taken care of anyway, but if you return the result of a query, it might be easier for an attacker to perform such attacks (again, depending on your code and scenario).

返回时应该小心,因为可能存在SQL注入攻击(或缓冲区溢出,或XSS,或者我可能忘记的其他攻击 - 取决于您的场景)。无论如何都应该注意这些,但如果您返回查询结果,攻击者可能更容易执行此类攻击(同样,取决于您的代码和方案)。

Besides that, since the group is originating from the client, therefore a user can see it by inspecting the code of the page, or by using some browser add-on, I don't see any problems. Assuming that there are no attacks like the ones described above, the user will only be able to see what he/she typed as a group name. So sending either of the two messages is fine.

除此之外,由于该组来自客户端,因此用户可以通过检查页面代码或使用某些浏览器插件来查看它,我没有看到任何问题。假设没有像上述那样的攻击,用户将只能看到他/她键入的组名。所以发送两个消息中的任何一个都没问题。

Now, if the names of the groups are sensitive information and you don't want them to leak, in order to prevent a brute force attack, you should not send any message back at the point of checking the group name. You should instead continue the whole procedure as if the group name was correct, ask for username and password, check if these are correct (in order to avoid timing attacks) and only then return that the group, username, or password are wrong or don't exist. However, if by having credentials you can login to any group, this method still fails, as someone who has credentials and gets an error message can easily understand that the incorrect information is the group name.

现在,如果组的名称是敏感信息而您不希望它们泄漏,为了防止暴力攻击,您不应在检查组名时发回任何消息。您应该继续整个过程,就像组名正确一样,询问用户名和密码,检查这些是否正确(为了避免计时攻击),然后返回组,用户名或密码错误或者不要不存在。但是,如果通过拥有凭据可以登录到任何组,此方法仍然会失败,因为拥有凭据并收到错误消息的人可以很容易地理解不正确的信息是组名。