Vulnerability
The most efficient and secure web applications are made by preventing data leakage. The error messages generated from the server is of greatest use to attackers. The attackers can get information about the servers along with their loopholes. Using this information, the attacker can plan an attack. This server frequently generates error messages.
Example
<%@ Import Namespace="System.Diagnostics" %>
<script language="C#" runat="server">
void Application_Error(Object sender, EventArgs e) {
String Message = "\n\nURL: http://localhost/" + Request.Path
+ "\n\nMESSAGE:\n " + Server.GetLastError().Message
+ "\n\nSTACK TRACE:\n" + Server.GetLastError().StackTrace;
// Insert into Event Log
EventLog Log = new EventLog();
Log.Source = LogName;
Log.WriteEntry(Message, EventLogEntryType.Error);
Server.Redirect(Error.htm) // this shall also clear the error
}
</script>
Impact
The impact include:-
- Data Breach
- Injection attacks
- Blind attacks
Mitigation / Precaution
Beagle recommends the following fixes:-
- Verify that the application does not leak information via error messages.
- Disable or limit detailed error handling.
- Ensure that secure paths that have multiple outcomes return similar or identical error messages.
Written by
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
