Why hide exceptions on the web?

Question

Is there a real reason to hide exceptions on a webpage? I can understand hiding to not scare users but on the site i am developing theres no concern for scaring users. I imagine if you have SQL injection holes hiding the exception wont actually matter.

So what reasons might one have to hide exceptions on a webpage from users?

Answer 1

Yes. Exceptions and error messages often contain extra information that an attacker might be able to exploit, such as:

• Table/Column names
• Connection strings
• Names/locations of files
• Method signatures and callstack info
• Operating system, service pack info (valuable if you want to exploit an unpatched vulnerability)
• etc

Answer 2

I imagine if you have SQL injection holes hiding the exception wont actually matter.

Oh, but it will. It can make the difference between the hole being found and exploited, and it not being found and exploited :)

Security through obscurity as the only security measure is dangerous. But it's a good thing to have as an additional one.

Exceptions and error messages

• Can give an attacker information about how the code is built (e.g. library functions used - catastrophic if one of them can be exploited)

• Can give an attacker information about the underlying system in general (OS / Platform, server, frameworks used, versions....)

• Can give an attacker information about the site's path structure and file locations. While not dangerous in itself, this is valuable information when exploiting a directory traversal security hole for example.

This is ample reason to hide this information from the public at all times.