I'm currently studying Mutillidae for personal purpose, trying to understand the PHP code.
I got a question:
I'm trying to understand what part of the code makes this possible.
I'm investigating index.php, login.php and process-login-attempt.php.
I also tried to investigate the different HTTP headers that are sent when login is submitted.
Thanks and compliments for the great work!
Well, I think I got it.
So the question is: how can I deny my web application to be so chatty, and to prevent it to notify errors to everybody?
I want an attacker not to easily understand that my we application is vulnerable, so that he must try with, say, some timing attacks.
The class that handles errors accepts an argument indicating the current service level. If the level changes, the class sets a private property with the new security level. When the method that writes out errors is called, the method checks this private property. The property tells the method how much information to give out.