Improper Error Handling

Low

Description

Improper Error Handling, also known as Error Handling Flaws occur when an error message that’s displayed to an end user provides clues about how an application or website operates. It would be a serious risk when detailed internal error messages such as database dumps, stack traces, and error codes are displayed to the user (attacker). Even if the error message doesn't provide a lot of details, inconsistencies in such messages can still reveal important clues on how a site works or what system/back-end is present. Sometimes it may also lead to sensitive information disclosure. The severity of improper error handling is scenario dependent, means in some scenarios this error exposes critical information and in other scenarios non-sensitive information thus the severity must be calculated for each scenario.

Attack Scenario

The attacker will fuzz the application by adding random unexpected characters and inspect the response searching for errors. An attacker could abuse an application that displays errors improperly to leak internal software versions, try and identify if there are vulnerabilities related to the software version, and try to exploit it.

Mitigation

A policy for error handling should be documented, stating the type of errors to be handled, what message is going to be reported to the user and what error should be logged.

ID: 10001