Security: Returning 404 (Not Found) versus 401 (unauthorized) could leak information

XMLWordPrintable

    • Type: Task
    • Resolution: Unresolved
    • Priority: Major
    • CN01
    • Affects Version/s: V4.0_WD01
    • Component/s: Securing OData
    • None
    • Environment:

      [Proposed]

    • Hide

      Clarify that the 401 unauthorized response is valid on any request, and that authorization should be checked before any further processing of any request, including 404 not found.

      Show
      Clarify that the 401 unauthorized response is valid on any request, and that authorization should be checked before any further processing of any request, including 404 not found.

      If an unauthorized attacker can query a particular user and receive a 404 if the user does not exist, there is a potential for information leakage.

      In general, security checks should always take place before any other processing, and 401 should be valid a valid response to any request.

            Assignee:
            Unassigned
            Reporter:
            Michael Pizzo (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: