Application Error Message Security Vulnerability
Contents |
Rate Lowest False Positives Reporting and
Web Application Security Vulnerability Scanners
Remediation WordPress Checks Network Security Advanced Features Web Vulnerability Scanner application error disclosure zap Network Security Scanner Free Scan Pricing Web Security Blog News Partners Contact Support About Follow Us Facebook error message on page Twitter LinkedIn Application error message Web Vulnerabilities Medium Severity Application error message Description This page contains an error/warning message that may disclose sensitive information. The message can also contain the location of the file
Error Message On Page Acunetix
that produced the unhandled exception. This may be a false positive if the error message is found in documentation pages. Remediation Review the source code for this script. References PHP Runtime Configuration Severity Classification CWE CWE-200 Product InformationHTML5 Security AcuSensor Technology DeepScan Technology Blind XSS Detection Network Security Scanning Website SecurityCross-site Scripting SQL Injection DOM-based XSS CSRF Attacks Directory Traversal Learn MoreIntroduction to Web-shells Web Service Security WordPress Security AJAX Application Security PCI Compliance DocumentationFAQs Videos Web Vulnerabilities Network Vulnerabilities Trojans and Backdoors © Acunetix, 2016 About Acunetix Online Login Pen-Testing Tools Web Application Security JavaScript Security HIPAA Compliance Website Scan
introduce a variety of security problems for a web site. The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed information leakage and improper error handling to the user (hacker). These messages reveal implementation details that should never be improper error handling vulnerability revealed. Such details can provide hackers important clues on potential flaws in the site and such messages are also disturbing
Improper Error Handling Definition
to normal users. Web applications frequently generate error conditions during normal operation. Out of memory, null pointer exceptions, system call failure, database unavailable, network timeout, and hundreds of other common conditions can cause errors https://www.acunetix.com/vulnerabilities/web/application-error-message to be generated. These errors must be handled according to a well thought out scheme that will provide a meaningful error message to the user, diagnostic information to the site maintainers, and no useful information to an attacker. Even when error messages don’t provide a lot of detail, inconsistencies in such messages can still reveal important clues on how a site works, and what information is present https://www.owasp.org/index.php/Improper_Error_Handling under the covers. For example, when a user tries to access a file that does not exist, the error message typically indicates, “file not found”. When accessing a file that the user is not authorized for, it indicates, “access denied”. The user is not supposed to know the file even exists, but such inconsistencies will readily reveal the presence or absence of inaccessible files or the site’s directory structure. One common security problem caused by improper error handling is the fail-open security check. All security mechanisms should deny access until specifically granted, not grant access until denied, which is a common reason why fail open errors occur. Other errors can cause the system to crash or consume significant resources, effectively denying or reducing service to legitimate users. Good error handling mechanisms should be able to handle any feasible set of inputs, while enforcing proper security. Simple error messages should be produced and logged so that their cause, whether an error in the site or a hacking attempt, can be reviewed. Error handling should not focus solely on input provided by the user, but should also include any errors that can be generated by internal components such as system c
workings, or violate privacy through a variety of application problems. Applications can also leak internal state via how long they take to process certain operations or via different responses to differing inputs, such as displaying the same error text with different error numbers. https://www.owasp.org/index.php/Top_10_2007-Information_Leakage_and_Improper_Error_Handling Web applications will often leak information about their internal state through detailed or debug error messages. Often, this information can be leveraged to launch or even automate more powerful attacks. 1 Environments Affected 2 http://www.devx.com/dotnet/Article/32493 Vulnerability 3 Verifying Security 4 Protection 5 Samples 6 Related Articles 7 References Environments Affected All web application frameworks are vulnerable to information leakage and improper error handling. Vulnerability Applications frequently generate error messages error message and display them to users. Many times these error messages are quite useful to attackers, as they reveal implementation details or information that is useful in exploiting a vulnerability. There are several common examples of this: Detailed error handling, where inducing an error displays too much information, such as stack traces, failed SQL statements, or other debugging information Functions that produce different results based upon different inputs. For example, improper error handling supplying the same username but different passwords to a login function should produce the same text for no such user, and bad password. However, many systems produce different error codes Verifying Security The goal is to verify that the application does not leak information via error messages or other means. Automated approaches: Vulnerability scanning tools will usually cause error messages to be generated. Static analysis tools can search for the use of APIs that leak information, but will not be able to verify the meaning of those messages. Manual approaches: A code review can search for improper error handling and other patterns that leak information, but it is time-consuming. Testing will also generate error messages, but knowing what error paths were covered is a challenge. Protection Developers should use tools like OWASP's WebScarab to try to make their application generate errors. Applications that have not been tested in this way will almost certainly generate unexpected error output. Applications should also include a standard exception handling architecture to prevent unwanted information from leaking to attackers. Preventing information leakage requires discipline. The following practices have proven effective: Ensure that the entire software development team shares a common approach to exception handling. Disable or limit detailed e
Center DevX: Java Zone DevX: C++ Zone DevX: Web Development Zone HTML5 Development Center DevX: Architecture Zone DevX: Database Dev Zone DevX: Security Zone DevX: Open Source Zone DevX: Enterprise Zone DevX: Wireless Zone Windows Mobile Dev Center Android Development Center Field Guide to the Mobile Development Platform Landscape Move to the Future with Multicore Code C++0x: The Dawning of a New Standard Going Mobile: Getting Your Apps On the Road Software as a Service: Building On-Demand Applications in the Cloud A New Era for Rich Internet Applications The Road to Ruby Vista's Bounty: Surprising Features Take You Beyond .NET 3.0 The AJAX Framework Roundup Special Report: Virtual Machines Usher In a New Era Java/.NET Interop: Bridging Muddled Waters Wireless Special Report: Marching Toward Mobility Home Page for Special Report: Ensuring Successful Web Services Today and Tomorrow How to Create a Disaster Recovery Plan Special Report: Judging Java Past C/C++ 10-Minute Solutions Past Java 10-Minute Solutions Past DHTML 10-Minute Solutions Past DevX 10-Minute Solutions Past DB2 10-Minute Solutions Past Visual Basic 10-Minute Solutions Past XML 10-Minute Solutions DevXtra Blog: The Agile Architecture Revolution DevXtra Blog: Enterprise Issues For Developers Specialized Dev Zones Research Center eBook Library .NET Java C++ Web Dev Architecture Database Security Open Source Enterprise Mobile Special Reports 10-Minute Solutions DevXtra Blogs Slideshow Sign up for e-mail newsletters from DevX Find and Activate External Windows Disable or Enable Controls in a Parent Control, Except for one Giving a User Control a Border When to use CType, TryCast, DirectCast, CBool, etc. Microsoft PowerShell Now Open Source, Available for Linux Author Feedback Email Article Print Article Comment on this Article Digg del.icio.us Newvine furl StumbleUpon BlinkList Newsvine Magnolia Facebook Tailrank Slashdot Technorati Google Bookmarks Yahoo Favorites Windo