Improper Error handling

Overview

Description

It's evident for web applications to generate an error, and it's healthy too. But the problem is when error messages get mishandled, and they reveal details, error messages,stack-trace, database dump, full path.

The information obtained from the error message can be used by an attacker to exploit another vulnerability.

For, e.g., if the error message contains the full path, it can be further used for the exploitation of Path Traversal Vulnerability.

Example

If the webpage is showing Database error, HTTP Request parameters can be adjusted in such a way that database entries get printed in the error message.

Impact

It could allow the attacker to access the administrative portal related to that device.

It can lead to attacks like Buffer Overflow, Denial Of service, or system crash.

It could leak sensitive data/information of the organization

Prevention

  • Only display a minimal error to the user and not full details.
  • Configure the application to save a specific type of logs in a file instead of displaying it to the user.
  • Disable DEBUG mode when you deploy your code.
  • Many frameworks provide debug mode for the testing purpose that should be disabled in production.