Contact us for your penetration testing needs 1-866-PLYNT-24    |   Contact Us   Plynt UK Website  
Click to get Security Testing Quote
I don't think anybody can exploit my application with the help of the error messages it displays or can they?

Error messages can give out a whole lot of information about the application.

Sometimes during the design and development stages we miss out on customizing the error messages. The application may give out information about the architecture or the business details etc. All such information helps an adversary plan further attacks.

One common issue I've seen is getting details about the database on entering unexpected inputs. Let's see how this is possible: consider an application uses Oracle as the backend database and does not handle errors properly. An adversary enters some unexpected input in a form field and sends the request to the server. The sever sends back a error message which says "Error parsing and updating transaction request -ORA-20000". This clearly tells the adversary that Oracle is being used at the backend and now he can carry refine his attacks based on this information.

As a best practice, no architectural details should be disclosed to the user.

This article explains how to turn off error messages safely.

Chris Anley's advanced SQL Injection paper explains how to use error messages to fine-tune a SQL Injection attack.


Request a proposal

Our quote contains the best price, the time estimate, and our methodology; and we'll mail you the quote in 24 hrs.


                                                
 
Movable Type Appliance - Powered by TurnKey Linux