Tip 1Tell the Attacker Nothing
Don't return errors that include the text of the failed SQL attempts. Internet Information Services returns a 500-100 error message by default when a scripting error occurs, but returning errors that do not include debugging text is sometimes better. For example, I entered some bogus names and passwords and received error messages like this:
Microsoft JET Database Engine (0x80040E14)
Syntax error (missing operator) in query expression
'(name='x' or 1) or ('1') and (pwd=''p')'.
/login.asp, line 24
As you can see, part of the SQL syntax is returned, which can help an attacker determine how to correctly construct the name and password to create a bogus yet valid expression.
The simplest way to reduce the amount of information returned is to modify the %winnt%\help\iisHelp\500-100.asp page, or create a new file and configure IIS to use the new file for 500.100 errors. You can achieve this by performing these steps:
- Open the IIS admin tool.
- Right click the Web server in question.
- Select Properties.
- Click the Custom Errors tab.
- Enter the new filename for your custom 500.100 error page.
While we're on the subject, never return error messages that include physical locations in the error. For example, presenting a message like this "Unable to find foo.doc at c:\wwwroot\secretlocation" is a bad idea. A simple 404 will suffice.