Security threats associated with exposed server side error details
This topic may be categorized under penetration testing and hacking for a website. According to Open Web Application Security Project (2014), there are many SQL Injection exploitation techniques that utilize detailed error messages from the database driver. Further in depth testing and code review may help determine possible vulnerabilities and minimize the risk.
Improper error handling is not only unpleasant for the end user, but also serves as a starting point for the hackers to define strategy by exposing high level and low level software components deployed to build an application. It may include how the website is logically built up from top to bottom along with database schema. If an expert attackers knows exactly the building blocks and DB schema of an application, he is half done stealing the confidential information you may be hiding from anonymous users.
All the software bundles provide developers with basic building blocks which may be used to do robust error handling. For example:
· Apache is a common HTTP server for serving HTML and PHP web pages. By default, Apache shows the server version, products installed and OS system in the HTTP error responses. Responses to the errors can be configured and customized globally, per site or per directory in the apache2.conf using the ErrorDocument directive. In case of error, Apache can be configured to output hardcoded error message, a customized message, redirect to external or internal page using ErrorDocument directive. Administrators may configure AllowOverride using .htaccess file. For allowing ErrorDocument you need to set AllowOverride to All. ServerTokens and ServerSignature may be configured to hide server specific information in http errors.
· Generally Microsoft technologies based web applications are deployed on Internet Information Services (IIS). In a typical .Net web application, developers may suppress the unhandled errors being exposed to users by custom error page. A .Net web application which shows yellow screen of error is built by novice team of developers. In some of the applications, error handling is taken very seriously using custom exception handling http modules. Along with custom error page a unique identifier is sent as a hidden variable to the client side, which end user may be easily instructed to share with support team. This unique identifier is generated by the custom http error handling module, and saved along with error information in multiple possible ways. Some the applications I have seen use third party frameworks like Elmah and Log4net for robust logging in flat text files and error database. A detailed low level application design defines what information is required by end user to do correction in input data and what else is to be hidden by the error handling modules assigning a tracking unique identifier.
Next time, when you are in development phase of a web application, remember that your responsibility to handle errors does not end with a try catch finally. There must be low level details specified and planned for well ahead. Some hacker on the other corner of this world is waiting for you to shirk work.
Apache Software Foundation. (2015, December 10). Log4net (Version 2.0.5) [Computer software]. Retrieved from https://www.nuget.org/packages/log4net/
Aziz, A. (2012, April 13). ELMAH (Version 1.2.2) [Computer software]. Retrieved from https://www.nuget.org/packages/elmah/
Open Web Application Security Project. (2014, August 8). Improper Error Handling. Retrieved February 23, 2016, from https://www.owasp.org/index.php/Improper_Error_Handling
Penn Computing. (2016, February 26). SWAT Top Ten: Improper Error handling. Retrieved February 26, 2016, from http://www.upenn.edu/computing/security/swat/SWAT_Top_Ten_A7.php
The Apache Software Foundation. (2016). Apache Core Features. Retrieved February 26, 2016, from http://httpd.apache.org/docs/2.2/mod/core.html