Its a bad practice to throw the whole exception message on the client console , if the exception is a jdbc exception throwed because of an error in update, any error in trigger execution e.t.c the raw exception stack trace has a lot of information about the tables in database fields in it and business rules implenented which caused this exception. This is a lot for a hacker he can easily build a knowledge base based on these exceptions, validations and business rules implemented in your database, infact your whole database can be open to him.
Its therefor a bad practice to let the presentation layer see the raw jdbc exception stack trace instead application developers should try to develop the wrapper exceptions and should try to show only relevent exception data on presentation layer.
Note : "I recently had a chance to work with a very good consultant from Mcafee, he told me that this is one of the main reasons hackers can hack the most secured applications easily once they hv access to the application they try different operations to cause the exceptions and build their knowledge by looking into the different exception". This was a very good informative session where I learnt a lot I will be writing more blogs on it so keep your fingers crossed and wait for some more good blog posts: ).
No comments:
Post a Comment