Benefits of random responses to exceptions over generic error responses
Attackers can send requests with data that the server does not expect in order to try to get responses that reveal secret data. One common example is when the server experiences an exception. A poorly configured server might include a detailed error message in the response which leaks information the attacker can take advantage of. One common way to handle this issue is to reply with generic error messages, for example in the case of HTTP with an HTTP error response 400 or 404 with little to no additional information. Another approach I recently heard mentioned in a talk was to reply to exceptions with fake generated responses. For example by including fake exception details in error responses or by replying with an OK repsonse with fake data (in a way that leaves genuine users unaffected).
It feels like this second approach could be a case of security by obscurity. If the attacker knows that responses can be fake then the fake repsonses might no longer be much different than a generic error message. The only clear benefit I can think of is possibly confusing an attacker when they first encounter it until they figure out the scheme. The people who presented the approach seemed to think it was much better than generic error messages, however, and they work in security so I trust them more than myself. They did sadly not elaborate further in their talk and I fail to understand why it would be better. What could other possible benefits be?
