Poor Error Handling: Unhandled Exception - http://zero.webappsecurity.com:80/plink.asp?a=b&c=12
Created by: armorcodegithubpreprod[bot]
Category: Poor Error Handling: Unhandled Exception
Instance Id: 9050dcf1-c691-4c06-9d02-5d541d7c061b
Vulnerability Id: "8f872369-6c6e-4fb6-80e0-55acd45adc93"
Scan Type: Dynamic
CheckType: Vulnerability
Abstract: The Active Server Pages (ASP) engine does not properly handle special cookie values when they are retrieved. Because of this, an unhandled error is returned to the client. This behavior can be used maliciously to gather sensitive information from web applications.
Versions Affected:
All Microsoft Internet Information Server (IIS) web applications using Active Server Pages (ASP).
Details:
ASP is an extension to IIS which allows HTML pages to be dynamically generated on the server side. When the server receives a request for an ASP file, it processes server-side scripts contained in the file to build the page that is sent back to the browser. ASP files can also contain HTML, including related client-side scripts, as well as calls to COM components that perform a variety of tasks such as connecting to a database or processing business logic. ASP pages are supported on all Microsoft Web Servers including Personal Web Server and Internet Information Server.
ASP exposes many objects to enable easy development of web applications. These objects are used to allow browsers and web applications to easily exchange information over HTTP. When a special value, ("="), is sent in a Cookie header value and an ASP page tries to access this value, an unhandled error is returned by the ASP engine.
Request: GET /plink.asp?a=b&c=12 HTTP/1.1
Referer: http://zero.webappsecurity.com:80/pindex.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Accept: /
Pragma: no-cache
Host: zero.webappsecurity.com
X-Scan-Memo: Category="Audit"; Function="createStateRequestFromAttackDefinition"; SID="47AEAF16408D07535A173DDDD02B0076"; PSID="A02B569F56FFD606BD163706C64365F5"; SessionType="AuditAttack"; CrawlType="None"; AttackType="Other"; OriginatingEngineID="65cee7d3-561f-40dc-b5eb-c0b8c2383fcb"; AttackSequence="0"; AttackParamDesc=""; AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10244"; Engine="Request+Modify"; Retry="False"; SmartMode="ServerSpecificOnly"; ThreadId="25"; ThreadType="AuditDBReaderSessionDrivenAudit";
Connection: Keep-Alive
Cookie: CustomCookie=WebInspect69383ZXB3FCEA2CCD6849B0A63D3EFF65615601Y3637;status=yes;username=;userid=;sessionid=;ASPSESSIONIDCARBTACT=GOEJMBECPAMJHIAGAFDEJLEL;state=;passes3=;passes=;passes2=;=;Keyed=Var2=Second+Value&Var1=First+Value;Second=Oatmal+Chocolate;FirstCookie=Chocolate+Chip
Response:
Date: Fri, 13 May 2011 19:54:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 140
Content-Type: text/html
Cache-control: private
<font face="Arial" size=2>error '80004005'</font>
<p>
<font face="Arial" size=2>/plink.asp</font><font face="Arial" size=2>, line 4</font> ```
File Path: //zero.webappsecurity.com:0
Mitigation: <br />1. IIS Web Servers should be configured to return custom error pages which do not reveal details about the script which caused the error. <br /><br />
2. Custom Error Pages are designed to provide detailed information to the administrators/developers to troubleshoot and to solve ASP coding issues.<br /><br />
3. The Custom Error Pages feature relies on 500-100.asp. <br /><br />
4. Administrators and developers could use the default 500-100.asp for error reporting, but some of the information like ASP script that caused the error, a relative path to the script's location, and information about the line in the script that caused the error that is made availabe could be used maliciously.<br /><br />
5. Thus developers must create their own custom error pages to provide customer-friendly information, such as email addresses, to permit customer to inform the system administators of the problems.<br /><br />
6. Following is an example of a secure custom error page:<br /><br /><br />
<%<br />
Option Explicit<br />
If Response.Buffer Then<br />
Response.Clear<br />
Response.Status = "500 Internal Server Error"<br />
Response.ContentType = "text/html"<br />
Response.Expires = 0<br />
End If<br />
%><br /><br />
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><br />
<HTML><HEAD><TITLE>The page cannot be displayed</TITLE><br />
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"><br />
<STYLE type="text/css"><br />
BODY { font: 8pt/12pt verdana }<br />
H1 { font: 13pt/15pt verdana }<br />
H2 { font: 8pt/12pt verdana }<br />
A:link { color: red }<br />
A:visited { color: maroon }<br />
</STYLE><br /><br />
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD><br />
<h1>The page cannot be displayed</h1><br />
There is a problem with the page you are trying to reach and it cannot be displayed.<hr><br />
<hr><br />
<p>Please try the following:</p><br />
<ul><br />
<li>Contact the Web site administrator to let them know that this error has occured for this URL address.</li><br />
</ul><br />
<h2>HTTP 500.100 - Internal server error: ASP error.<br>Internet Information Services</h2><br />
<hr><br />
</TD></TR></TABLE></BODY></HTML><br />
https://preprod.armorcode.ai/#/findings/5230918