Poor Error Handling







Risk Rating:


If an attacker is able to force the web application into producing an error, it is quite common for these error messages to contain information relating to the underlying operating system, web server, database, or application. This information can then be used either to directly attack the system or to allow other attacks to be directed more accurately.

Default error messages produced by a misconfigured web server generally leak information relating to the type and version of the web server. This is commonly found in 404 error messages, as shown in Figure 13-3, where the page footer reveals detailed version and web server configuration information.

This default error message raises the same concerns as the HTTP Server header discussed previously. An attacker is able to determine whether vulnerabilities exist within the web server or simply use this information in a social engineering attack to reassure the victim that he or she is an internal employee—since only internal employees should know the types and versions of the internal systems, right?

Full filesystem paths are commonly enumerated via error messages produced by application services, such as Tomcat, as shown here:

-- java.io.FileNotFoundException:

/var/www/vhosts/site1/httpdocs/html/ config.xml (No such file or directory)

The attacker now knows exactly how deep the web server filesystem structure is, allowing more accurate directory traversal attacks to be carried out. The filesystem structure itself also reveals that the underlying operating system is a *NIX-based system. The web server also appears to be hosting virtual websites, possibly allowing attacks to be performed against insecure third-party websites in order to compromise the system and, therefore, your web application.

Figure 13-3 Default Apache error message reveals web server type and version.

Databases, such as MySQL, are quite commonly found as the backend storage mechanism for web applications. If the web application and database are not implemented securely, it may be possible to force a database error message to be revealed. These database errors may contain information relating to the SQL query being made by the web application to the backend database, and if you're lucky enough, you may even get the entire SQL query string.

These database error messages are extremely helpful to an attacker when trying to develop a SQL injection attack since the reason why the attack failed is quite often specified in the error, making it much easier to figure out the exact syntax required. A more comprehensive look at SQL injection attacks can be found in "Insufficient Data Validation," later in the chapter.

Errors produced by the web application are generally a little more discrete, but may still allow an attacker to enumerate information within a database, possibly via a brute-force attack. A common mistake made by developers is to generate different error messages for incorrect usernames and incorrect passwords:

Error: Username is invalid. Error: Password is incorrect.

If an attacker attempts to log in with an invalid username and password and receives an error stating that the username was incorrect, then the attacker knows that the username does not exist within the database. If the error returned stated that the password was incorrect, then the attacker could, therefore, assume the username was correct, but the password was wrong.

By using a brute-force technique, an attacker is able to use these error messages to enumerate a list of valid user accounts for the web application. The next stage of the attack may then be to brute-force the passwords for these accounts or to use this information in a social engineering attack either to reset the passwords or, again, to simply reassure the victim that the attacker is, in fact, an employee. Burp Suite's Intruder feature is fantastic at taking advantage of this type of vulnerable error message since it provides the attacker with a fine-gained control around the request data and the type of attack to be performed.

Burp Suite also provides a Comparer feature that allows the attacker to detect any differences in the response easily, not just the error message, which means that even if your response only differs by an extra space or new line character, an attacker will be able to enumerate a list of valid accounts for your web application.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment