Security research, news and guidance

Error Handling

Every application will eventually have to deal with an exception and it is vital that these are handled securely. If an attacker can force exceptions to occur and you fail to correctly handle these situations you will expose sensitive information about the inner workings of the application. These detailed error messages will help attackers build a picture of your application and fine tune their attacks.

An attack such as SQL Injection will become significantly easy to exploit if an attacker can view the internal server error messages. We have included an example of an attempted attack and the unsanitised error message that is returned to the attacker below:

http://www.examplesite.com/home.html?day=Monday AND userscolumn= 2

You can see that the attacker appended AND userscolumn=2 onto the URL to test for a SQL Injection vulnerability. The attacker input was processed by the SQL Server which caused an exception to occur because the userscolumn doesn’t exist.

Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)

[Microsoft][ODBC SQL Server Driver][SQL Server]Invalid column name ‘userscolumn’.

/examplesite/login.asp, line 10

This type of error message is a common sight across the internet and it will help attackers fine tune their attacks against your application.

To prevent these kinds of errors reaching the end users of your application you need to ensure that you develop your code to handle expected and unexpected exceptions. The errors that are returned to the end users should be generic messages such as “Server error – please contact support”. There are several simple points to remember when you are trying to implement secure error handling:

  • Never include information such as the line an exception has occurred on, the method that has encountered an exception or information such as stack traces
  • Never include file system paths within error messages
  • Ensure that service information such as ASP.NET version numbers are not contained within error messages

Most languages will have their own methods for handling exceptions and we have included an example of the Try/Catch method of handling exceptions in Java below:

import java.io.IOException;
 
import java.io.InputStream;
 
import java.net.MalformedURLException;
 
import java.net.URL;
 
public class Test {
 
public static void main(String[] args) {
 
String urlStr = “http://securityninja.co.uk/no_exist.html”;
 
try {
 
URL url = newURL(urlStr);
 
InputStream is = url.openStream();
 
is.close();
 
} catch(Exception e) {
 
// Print out the exception that occurred
 
System.out.println(Error requesting” + e.getMessage());
 
}
 
}
 
}

In this example we have received a request for /no_exist.html which doesn’t exist on the server. The catch part of the code will ensure that the user is presented with the following sanitised error message:

“Error requesting http://securityninja.co.uk/no_exist.html”

You should always ensure your own code provides error messages similar to the one above.

VIDEOS & SLIDESHARES

Look at our latest security Videos & SlideShares

EVENTS & SEMINARS

Upcoming Security Events & Seminars

PODCASTS & DOWNLOADS

Check out our Podcasts & White Papers