Improper Error Handling

Description

Error handling is a part of a reconnaissance phase in which the attacker will try to gather as much technical information as possible about the target, such as the application server, frameworks, libraries, versions, etc.

Bussines Impact

Unhandled errors can assist an attacker in this reconnaissance phase, which is very important for further attacks.

Recommendation

Verify that there isn’t sensitive information that is being disclosed errors or warning messages.Another best practice will be to configure the application to log errors to a file for example instead of displaying the error to the users.

More Details

An attacker may use the contents of error messages to help launch another, more focused attack. For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of the installed application. In turn, this could be used to select the proper number of “..” sequences to navigate to the targeted file. An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query.

Reference

https://cwe.mitre.org/data/definitions/209.html

What is Kayran

Kayran scanner is helping all businesses, both SMBs and enterprises, to test their online assets and products for over 9000 vulnerabilities.Kayran’s mission is to make

Read More »