Security - Why 404 instead of 403?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

A website I worked on for my dayjob was recently subjected to a security
audit by Watchfire Appscan which showed some SQL injection and XSS
vulnerabilities.  They were all fixed rather quickly and easily, but
Appscan keeps mentioning one thing:

For "hidden" directories (such as "images" or "styles") it says "Issue a
"404-Not Found" response status code for a forbidden resource, or remove it

This is silly, IMO. We've turned off indexes with .htaccess and are issuing
a HTTP 403 response instead.

I understand that fooling attackers into thinking something doesn't exist
is a good idea, but is it any MORE secure than issuing a 403?

Karl Groves

Re: Security - Why 404 instead of 403?


Quoted text here. Click to load it

What's a "hidden" directory ?   Something that's already obviously there
(it's referenced through your images or CSS) or somehing that isn;t
visible by any public, external means (and that often includes

For the first, you might as well return 403. Hey, why not return a
directory listing? Unless it's a risk of its own, you surely have to be
capable of doing that much safely, or all bets are off anyway,

For the second, then there's a small argument for the 404. Don't let
them find _anything_  they don't ned to know, inclduing the existenc eof

Look at the track record of penetrations. It's not the secured front
door that gets kicked in, it's the forgotten "test" script from two
years ago, written by a guy who left ages back, and is still vulnerable
to SQL injection etc.

Re: Security - Why 404 instead of 403?

Karl Groves wrote:

Quoted text here. Click to load it

The idea is that a 403 may pique a hacker's interest (His/her thought
process would be "Oooh. a 403...there's /something/ there...let's break
out the l33t hAx0r t001Z.")

That, and an audit that finds x+1 violations is obviously *better*.


Re: Security - Why 404 instead of 403?

Quoted text here. Click to load it

Its a lot easier to set an automatic blocking response to a 403 error,
such as 3 - 403 errors from one IP blocks the IP. If it was logged as
a 404 it would be harder to spot someone poking around where they
shouldn't be since it is generally littered with benign favicon
logging. I'd want the actual error (forbidden) just for the sake of
accurate logging.

Re: Security - Why 404 instead of 403?

Issuing a 403 confirms that there is something there that you don't
want people to have access to. This encourages malicious individuals
to expend more time and resources on compromising those areas.

Of course take that with a grain of salt. Is an attacker going to
spend a lot of time trying to get a directory listing for /images not
likely but what about things like:


At the same time why would you issue a 403 for a /images directory,
assuming you're using them all on your site somewhere what difference
could it make if they can see them all listed in one place?

Re: Security - Why 404 instead of 403?

kingthorin wrote:

Quoted text here. Click to load it

Ideally, none of these should even be within your document root.

This makes the issue of whether to return a 403 or a 404 a moot point.

Toby A Inkster BSc (Hons) ARCS
Contact Me ~
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!

Re: Security - Why 404 instead of 403?

Quoted text here. Click to load it

They were just examples.

Site Timeline