Unhandled error in web application

The most efficient and secure web applications are made by preventing data leakage. The error messages generated from the server is of greatest use to attackers. The attackers can get information about the servers along with their loopholes. Using this information, the attacker can plan an attack. This server frequently generates error messages.

Example

    <%@ Import Namespace="System.Diagnostics" %>
      <script language="C#" runat="server">
        void Application_Error(Object sender, EventArgs e) {
            String Message = "\n\nURL: http://localhost/" + Request.Path
                              + "\n\nMESSAGE:\n " + Server.GetLastError().Message
                              + "\n\nSTACK TRACE:\n" + Server.GetLastError().StackTrace;
            // Insert into Event Log
            EventLog Log = new EventLog();
            Log.Source = LogName;
            Log.WriteEntry(Message, EventLogEntryType.Error);
          Server.Redirect(Error.htm) // this shall also clear the error
        }
    </script>

  

Impact

The impact include:-

  • Data Breach
  • Injection attacks
  • Blind attacks

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Verify that the application does not leak information via error messages.
  • Disable or limit detailed error handling.
  • Ensure that secure paths that have multiple outcomes return similar or identical error messages.

Latest Articles