堆栈跟踪中的敏感信息
我想发现哪些可能的标准 .net 异常会导致堆栈跟踪包含敏感信息。
据我了解(如果我错了,请纠正我),如果 SQL 连接失败,那么创建的异常消息将包括连接字符串,而连接字符串又可能包括用户名和密码(如果不使用集成安全性)。
我们将异常消息记录到日志文件中,这些文件可能会被不应该看到该信息的人读取。
您知道还有哪些其他例外情况可以包含此类信息?
相关应用程序使用 Web、WCF 和 DB (SQL Server)。
谢谢
I am wanting to discover what possible standard .net exceptions can cause stack traces to include sensitive information.
It is my understanding (correct me if I am wrong) that if a SQL connection fails then the exception message created will include the connection string which in turn might include the user name and passowrd (if not using integrated security).
We log the exception message out to log files that might be read by people that should not see that information.
What other exceptions can include information such as this that you know of?
The application in question uses Web, WCF and DB (SQL Server).
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
就我个人而言,我认为您没有以正确的方式解决这个问题。尝试确定其中可能包含信息的异常数量将使您面临风险,因为其中一项会被遗漏,这种情况就会发生。
我会稍微改变一下焦点,并尝试确定可以将它们记录在哪里的安全位置。
这里需要考虑的另一个未知因素是,您可能会收到由开发人员创建的包含敏感信息的消息,并且识别这些信息将非常困难。
Personally I don't think that you are going around this the right way. Trying to identify the number of exceptions that could have information in them is going to expose you to risk more than likely as one item will get missed, it just happens.
I would switch focus a bit and try to identify where you can log them to be a secure location.
Another unknown to think about here is that you could have a message created by a developer that contained sensitive information, and identifying those would be very hard.