Examice

Exam CAS-004 All QuestionsBrowse all questions from this exam

Go to Exam

Question 441

A security researcher identified the following messages while testing a web application:

/file/admin/myprofile.php ERROR file does not exist.

/file/admin/userinfo.php ERROR file does not exist.

/file/admin/adminprofile.php ERROR file does not exist.

/file/admin/admininfo.php ERROR file does not exist.

/file/admin/universalprofile.php ERROR file does not exist.

/file/admin/universalinfo.php ERROR file does not exist.

/file/admin/restrictedprofile.php ACCESS is denied.

/file/admin/restrictedinfo.php ERROR file does not exist.

Which of the following should the researcher recommend to remediate the issue?

Software composition analysis

Packet inspection

Proper error handling

Elimination of the use of unsafe functions

Correct Answer: C

The issue involves the web application revealing detailed error messages about the existence and permissions of files. This information can be exploited by attackers to gain insights into the server's structure and vulnerabilities. Proper error handling should be implemented to ensure that error messages do not disclose sensitive details. Generic and user-friendly error messages should be shown to users, while detailed error logs should be maintained server-side for developers and administrators to diagnose issues without exposing critical information.

Discussion

23169fdOption: C

The messages provide information about the existence and access permissions of certain files, which can be useful to an attacker. Proper error handling involves: Ensuring that error messages do not reveal sensitive information about the server or its structure. Customizing error messages to be generic and user-friendly without disclosing specifics about the error (e.g., "An error occurred" instead of "ERROR file does not exist" or "ACCESS is denied"). Logging detailed error information on the server-side for debugging purposes without exposing it to the end user.