Poor Error Handling: Unhandled Exception - http://zero.webappsecurity.com:80/testing/
Created by: armorcodegithubpreprod[bot]
Category: Poor Error Handling: Unhandled Exception Scan Type: Dynamic CheckType: Vulnerability Abstract: A minor vulnerability has been discovered within your web application due to the the presence of a fully qualified path name to the root of your system. This most often occurs in context of an error being produced by the web application. Fully qualified server path names allow an attacker to know the file system structure of the web server, which is a baseline for many other types of attacks to be successful. Recommendations include adopting a consistent error handling scheme and mechanism that prevents fully qualified path names from being displayed. Request: GET /testing/ HTTP/1.1 Referer: http://zero.webappsecurity.com:80/ User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Accept: / Pragma: no-cache Host: zero.webappsecurity.com X-Scan-Memo: Category="Audit"; Function="createStateRequestFromAttackDefinition"; SID="74AC7190EB0DD42B270214C7DD7706B5"; PSID="3B5C6D4258EDE9E2520272F502F91B6B"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Server"; OriginatingEngineID="ae34b422-6357-4aca-8fe7-7e449e14c9b7"; AttackSequence="0"; AttackParamDesc=""; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10217"; Engine="Directory+Enumeration"; Retry="False"; SmartMode="NonServerSpecificOnly"; ThreadId="39"; ThreadType="AuditDBReaderSessionDrivenAudit"; Connection: Keep-Alive Cookie: CustomCookie=WebInspect69383ZXB3FCEA2CCD6849B0A63D3EFF65615601Y3637;status=yes;username=;userid=;sessionid=;ASPSESSIONIDCARBTACT=IFDJMBECGEEOKNHHINEAFONF;state=
File Path: //zero.webappsecurity.com:0
Mitigation:
For Development:
Don't display fully qualified pathnames as part of error or informational messages. At the least, fully qualified pathnames can provide an attacker with important information about the architecture of web application.
For Security Operations:
The following recommendations will help to ensure that a potential attacker is not deriving valuable information from any error message that is presented.
- Uniform Error Codes: Ensure that you are not inadvertently supplying information to an attacker via the use of inconsistent or "conflicting" error messages. For instance, don't reveal unintended information by utilizing error messages such as Access Denied, which will also let an attacker know that the file he seeks actually exists. Have consistent terminology for files and folders that do exist, do not exist, and which have read access denied.
- Informational Error Messages: Ensure that error messages do not reveal too much information. Complete or partial paths, variable and file names, row and column names in tables, and specific database errors should never be revealed to the end user. Remember, an attacker will gather as much information as possible, and then add pieces of seemingly innocuous information together to craft a method of attack.
- Proper Error Handling: Utilize generic error pages and error handling logic to inform end users of potential problems. Do not provide system information or other data that could be utilized by an attacker when orchestrating an attack.
In reality, simple testing can usually determine how your web application will react to different input errors. More expansive testing must be conducted to
cause internal errors to gauge the reaction of the site.
The best course of action for QA associates to take is to ensure that the error handling scheme is consistent. Do you receive a different type of error for a file
that does not exist as opposed to a file that does? Are phrases like "Permission Denied" utilized which could reveal the existence of a file to an attacker? It is
often a seemingly innocuous piece of information that provides an attacker with the means to discover something else which he can then utilize when
conducting an attack.