error handling

spezticle · 03-23-2012, 09:16 PM

so i'm not entirely sure how difficult this would be but i'm pretty sure it's possible.

Can I tell apache to report all '403 forbidden' errors as 404 not found?

I know i can do a custom errorpage but for somebody who is looking for errors or sniffing for certain directories they can easily figure out that it's actually a 403

unSpawn · 03-24-2012, 08:34 PM

What's wrong with sending a "Forbidden" to the client? What do you think it reveals that you should deviate from the standard?

spezticle · 03-24-2012, 11:28 PM

good question.

Here's my thought process:
If somebody tries going to /phpmyadmin and it says "forbidden" they know it's there
but if they get an authentic 404 even though it is there and is forbidden, it could deter them from trying harder to access it through other exploits.

I got this idea from a phpbb3 mod that does a sort of the same thing but only relative to its own system.
http://www.phpbb.com/customise/db/mod/anti_snooping/

unSpawn · 03-25-2012, 05:32 AM

Hmm. The majority of scanning for low-hanging fruit is not an economical process nor does it need to be. It is done automatically and without logic so you should not assume the scanning software is smart enough to back off given a handful of 404s. Exploiting low-hanging fruit in the web stack means just throw a few, say WordPress plugin, exploits at it and see if one sticks. If none do then just move on to the next. So IMHO it's not worth the trouble.