Application Error Disclosure

OWASP 2017-A3

An application error disclosure is an attack where an application cannot protect the user’s data. This attack will help an attacker to successfully access all the information about the application. The information includes information about the server environment, credentials of API keys and many more. These leakages can have disastrous effects on the server. The application error disclosure has following types:-

  • Banner Grabbing: Here, an attacker sends different requests to the server. These requests are attempts to leak information about the server. If the server configurations are not securely implemented, it will leak information like PHP version, ASP version and many more. Depending on these software’s versions, an attacker can exploit the server for sensitive information. eg: If a server has older PHP versions, it will most probably be vulnerable to remote command injection.

  • Source code Disclosure: This type of attack involves attacker having the access to the application’s source code. Using the source code, an attacker can perform white box testing on the application. This type of attack is also called white box testing because the attacker has read the code and is performing attacks on the basis of the code’s logical error. The source code might get leaked if the git repository of the application might have gone public. Inappropriate Handling of sensitive data: This attack can be exploited if the server doesn’t properly handle the username and password pair. An attacker can scan the web application for disclosed internal IPs, scripts etc.

  • The file name and path disclosure: This attack involves an attacker having access to file names or paths that expose the structure of the application. This attack is possible if there are loopholes in the backend, improper handling of data and man more.

Example

An attacker can send a malicious database request to the server. If the application is vulnerable to application error disclosure attack, the response will be as follows.

    Microsoft OLE DB Provider for ODBC Drivers (0x80004005) '
    [MySQL][ODBC 3.51 Driver]Unknown MySQL server host

    

The above output will help an attacker to understand the database of the application more precisely. The attacker will test the application with many other cases till he can successfully exploit the web application.

Impact

The impact include:-

  • Unauthorised access to the system.
  • Possible loss of sensitive data.
  • Possible manipulation of sensitive data.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Don’t use response headers that will reveal information about the server.
  • The services running in open ports of the server don’t reveal information about the server or the application.
  • Implement proper authentication and access control for sensitive information.
  • Try not to hard code sensitive codes like IP addresses, API keys and many more.
  • Configure the proper MIME types on the web server.
  • Try to configure the web server in such a way that it will suppress the error codes from displaying in the browser.
  • Disallow directory listing from the web application.
  • Implement validation in the back-end code only. And make sure all the exceptions are caught.

Latest Articles