![general http error: 404 not found http error: 404 general http error: 404 not found http error: 404](http://3.bp.blogspot.com/-wEb7icJ_3gc/UpRMokvNTtI/AAAAAAAAAqs/dbnH4W2Lpec/s1600/Http+Error++404.png)
Unfortunately, if you have ever attempting to do so, you will have found it less than possible and far from easy. We can leverage this approach when we determine that it would be better to not disclose the existence of a resource, but return 404 instead of 403 HTTP status code. Though, security through obscurity is never in of itself reliable security, it can be and should be used as part of any security in-depth approach. For example, a valid case could be that a 3rd party web resource (.axd) had a known security flaw and could be taken advantage of through other side channels when knowing the resource exists.
![general http error: 404 not found http error: 404 general http error: 404 not found http error: 404](https://www.verticalrail.com/wp-content/uploads/2015/05/404-Page-Not-Found.png)
The disclosure of the resource might only provide a piece of the profile puzzle a malicious user was assembling or it might actually directly provide the user opportunities. However, by returning the applicable and valid 403, we have also made it clear that the resource does exist. One of those situations is when the resource is forbidden (403).Īn authorized user has requested a forbidden resource in which they receive a HTTP 403 forbidden response to the request is a common scenario. But it was obvious that in certain circumstances we can inadvertently disclose information that a malicious user could use to their advantage just by returning the real HTTP status code. In my last post on Security Misconfiguration, part of the discussion was on properly handling error messages to ensure we don’t expose sensitive data to our users. Sometimes the divulged information only fuels the profile the malicious user is assembling against your application or the information directly exposes a serious security weakness. Whether deep diving into OWASP’s Top 10 security flaws or as a direct topic, it is a security area that surfaces over and over again. When talking about web application security, one common denominator that repeatedly comes up is the act of disclosing sensitive application data.