[thelist] 403 or 404?

Ken Schaefer Ken at adOpenStatic.com
Wed Jun 6 09:42:14 CDT 2007

If you're an intelligent hacker, you can probably fingerprint the responses.
A 404 issued by the webserver itself is probably going to have a slightly
different packet response to a 404 generated by application level code. Might
not be obvious under some situations (e.g. a single user making requests),
but might become obvious under others (e.g. send multiple simultaneous


-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Stephen Rider
Sent: Thursday, 7 June 2007 12:40 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] 403 or 404?

On Jun 6, 2007, at 9:20 AM, patrick wrote:

> Stephen Rider wrote:
>> If the person is not logged in at all, they get a 30x redirect to a
>> "Please log in" page.
>> IF they are logged in and try to access something they don't have
>> rights to, they get a 404 page that says something noncommittal such
>> as "The page was not found or you don't have access."
> Saying this '...you don't have access.' does not do this '...leaves  
> the
> obscurity barrier to the hacker'
>> That's leaves the obscurity barrier to the hacker, but gives some
>> info to the legit user who made a mistake.

Sure it does.  As others have pointed out, any hacker worth his salt  
is going to know that 404s are frequently used for access denied  
pages, so you're not giving them info they don't have there.  What  
you ARE doing is preventing them from knowing if the particular  
object exists.  /object/21 (access denied) gives the exact same  
result as /object/36 (doesn't exist) or /object/abc (invalid).


More information about the thelist mailing list