Unhandled error in web application

Rejah Rehim

Published on

24 Jun 2018

1 min read

Vulnerability

The most efficient and secure web applications are made by preventing data leakage. The error messages generated from the server is of greatest use to attackers. The attackers can get information about the servers along with their loopholes. Using this information, the attacker can plan an attack. This server frequently generates error messages.

Example

    <%@ Import Namespace="System.Diagnostics" %>
      <script language="C#" runat="server">
        void Application_Error(Object sender, EventArgs e) {
            String Message = "\n\nURL: http://localhost/" + Request.Path
                              + "\n\nMESSAGE:\n " + Server.GetLastError().Message
                              + "\n\nSTACK TRACE:\n" + Server.GetLastError().StackTrace;
            // Insert into Event Log
            EventLog Log = new EventLog();
            Log.Source = LogName;
            Log.WriteEntry(Message, EventLogEntryType.Error);
          Server.Redirect(Error.htm) // this shall also clear the error
        }
    </script>

  

Impact

The impact include:-

Data Breach
Injection attacks
Blind attacks

Mitigation / Precaution

Beagle recommends the following fixes:-

Verify that the application does not leak information via error messages.
Disable or limit detailed error handling.
Ensure that secure paths that have multiple outcomes return similar or identical error messages.

Automated human-like penetration testing for your web apps & APIs

Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Product tour

Written by