30 August 2015
Today companies know their business critical information and protect them against unauthorized use and disclosure.
Cyber criminals don’t attack the business critical information, but the application systems through the vulnerabilities in the system and application software. Application and system developers make life easy for them by disclosing information about the system design caused by unhandled program exceptions and informative error messages.
Unhandled program exceptions exist in almost every web application. Candidates are URLs with parameters like
Most programmers do in-depth tests to make sure that the program retrieves exactly the information defined in the requirements specification. But what happens if an invalid value is input?
Let’s rewrite this URL and assign SiteId the value -1:
The result is:
A negative number was assigned to an Attribute of type "Unsigned": HRS_SITE_ID.HRS_SITE_ID. (2,121) WEBLIB_XXXXXXXX.ISCRIPT_ XXXXXXXX.FieldFormula Name:ax_Parameter_security PCPC:1176 Statement:19 Called from:WEBLIB_ XXXXXXXX.ISCRIPT_ XXXXXXXX.FieldFormula Name:Iscript_Load XXXXXXXX Portal Statement:28
Okay, it’s not the entire program stack, but it shows that input is not fully sanitized, and gives an attacker the hint, that the site is possibly vulnerable against SQL injection attacks.
Unchecked error conditions are listed as CWE-391 in the Common Weakness Enumeration list. Programmers can easily solve this problem by adding an extra “when others” exception to the code.
The best error message is one that reveals neither information about the application system nor about the internal structure of the application:
The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable. Please excuse the inconvenience caused.
Period. For a good overview about error handling problems and mitigations see the SANS Securing Web Application Technologies (SWAT) checklist.
Have a good weekend, and fun with boundary value tests.