Unhandled error in web application

By
Rejah Rehim
Published on
24 Jun 2018
1 min read

The most efficient and secure web applications are made by preventing data leakage. The error messages generated from the server is of greatest use to attackers. The attackers can get information about the servers along with their loopholes. Using this information, the attacker can plan an attack. This server frequently generates error messages.

Example

    <%@ Import Namespace="System.Diagnostics" %>
      <script language="C#" runat="server">
        void Application_Error(Object sender, EventArgs e) {
            String Message = "\n\nURL: http://localhost/" + Request.Path
                              + "\n\nMESSAGE:\n " + Server.GetLastError().Message
                              + "\n\nSTACK TRACE:\n" + Server.GetLastError().StackTrace;
            // Insert into Event Log
            EventLog Log = new EventLog();
            Log.Source = LogName;
            Log.WriteEntry(Message, EventLogEntryType.Error);
          Server.Redirect(Error.htm) // this shall also clear the error
        }
    </script>

  

Impact

The impact include:-

  • Data Breach
  • Injection attacks
  • Blind attacks

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Verify that the application does not leak information via error messages.
  • Disable or limit detailed error handling.
  • Ensure that secure paths that have multiple outcomes return similar or identical error messages.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.