Security - Why 404 instead of 403?

Giganews Newsgroups
Subject: Security - Why 404 instead of 403?
Posted by:  Karl Groves (ka…@NOSPAMkarlcore.com)
Date: Thu, 05 Apr 2007

A website I worked on for my dayjob was recently subjected to a security
audit by Watchfire Appscan which showed some SQL injection and XSS
vulnerabilities.  They were all fixed rather quickly and easily, but
Appscan keeps mentioning one thing:

For "hidden" directories (such as "images" or "styles") it says "Issue a
"404-Not Found" response status code for a forbidden resource, or remove it
completely".

This is silly, IMO. We've turned off indexes with .htaccess and are issuing
a HTTP 403 response instead.

I understand that fooling attackers into thinking something doesn't exist
is a good idea, but is it any MORE secure than issuing a 403?

--
Karl Groves
http://www.thehotrodclassifieds.com
http://www.grayscalecms.com
http://www.karlcore.com

Replies