Improper Error Handling

Description

During the scan, Kayran managed to find Improper Error Handling vulnerability.
Improper error handling takes part in the reconnaissance phase in which the attacker will try to gather as much technical information as possible about the target. Information such as the application’s server, frameworks, libraries, versions, etc.

Unhandled errors can assist the attacker in this reconnaissance phase, which is very important for further attacks.

An attacker may use the contents of error messages to launch another, more focused attack.
For example, an attempt to exploit a path traversal weakness (CWE-22) might yield the full pathname of an installed application. In turn, this could be used to select the proper number of “..” sequences to navigate to the targeted file.
An attack using SQL injection (CWE-89) might not initially succeed, but an error message could reveal the malformed query, which would expose query logic and possibly even passwords or other sensitive information used within the query.

Recommendation

Verify that there isn’t sensitive information that is being disclosed, whether through errors or warning messages.
Another good practice will be to configure the application to log errors to a file for example, instead of displaying the error to the users.

References

https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html

https://cwe.mitre.org/data/definitions/209.html

< Return to all Vulnerabilities