From Application Security and Development Security Technical Implementation Guide
Part of SRG-APP-000441
Associated with: CCI-002420
Applications should not disclose information not required for the transaction. (e.g., a web application should not divulge the fact there is a SQL server database and/or its version).
Review the application system documentation and interview the application administrators. Ask them to demonstrate how the web server and application configuration does not disclose any information about the application which could be used by an attacker to gain access to the application. Ask the application representative to logon as a non-privileged user and review all screens of the application to identify any potential data that should not be disclosed to the user. Review web server configuration and determine if custom error pages are configured to display on error events. Review error pages sent to application users to verify the pages are generic in nature and provide no technical details related to application architecture. If the application displays any application technical data such as database version, application server information, or any other technical details that should not be disclosed to a regular user, this is a finding.
Configure the application to not display technical details about the application architecture on error events.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer