Can you tell if a page does exist even if it throws a 404?

Throwing 404 error for every invalid request could be questionable, an attacker may start suspecting this behavior specially if he knows the service he is targeting.
Does this help protecting your service ? this really depends on the perseverance of the attacker.

Edit:

The attacker can detect the difference if you don't craft the 404 response header properly as the server would do

Here is a PoC for Java server case (Tomcat8):
This is a 'truthful' 404 status returned by the server itself for any not found resource :

Content-Language:en
Content-Length:1026
Content-Type:text/html;charset=utf-8
Date:Tue, 31 Jan 2017 09:15:54 GMT
Server:Apache-Coyote/1.1

This one is returned by the servlet :

Content-Language:en
Content-Length:992
Content-Type:text/html;charset=utf-8
Date:Tue, 31 Jan 2017 09:18:04 GMT
Server:Apache-Coyote/1.1

You notice the parameter's value of "Content-length" in both cases, this one could attract the attacker's attention.


Beware, hiding actual error code smells a little as obfuscation. There is nothing really bad from a security point of view, but it adds little security if any. Do you really think that attackers blindly accept error codes? You know they can be changed at will, and they do too. Ok, it can be useful against script kiddies but not facing a serious attack, so you should really think about what is your threat model before going that way.

And there could be a drawback here. Unless you build a special log system that logs the internal error, you will end in logs containing only 404 errors. That means that you have lost any possibility of log analysis to try to discover attacks to your site and possible security flaws. IMHO error code are more useful for the maintainer of an application that for an attacker...

Tags:

Linux

Apache