AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Missing Fail-Safe Error Handling

Missing an almighty error handling configuration in web frameworks may allow attackers to deduce internal details of an application through detailed error messages

Severity

Medium

Fix Cost

Low

Trust Level

High

Nearly every decent web application framework has a configurational capability to declare a very generic error handling management.

In fact presenting detailed error messages is always advantageous for developers to understand the root reason of a production bug. However, the same is true for attackers, too. An attacker presented a detailed exception will abuse it for a huge range of vulnerabilities; all injection types of vulnerabilities, padding oracle, business logic problems, mass assignment etc.

Here’s an insecure customerrors directive;

            
<system.web>
<customErrors mode="Off">
</customErrors>
                 
            

Nearly every decent web application framework has a configurational capability to declare a very generic error handling management.

In fact presenting detailed error messages is always advantageous for developers to understand the root reason of a production bug. However, the same is true for attackers, too. An attacker presented a detailed exception will abuse it for a huge range of vulnerabilities; all injection types of vulnerabilities, padding oracle, business logic problems, mass assignment etc.

An insecure web.xml doesn’t contain any <error-page> directive that may contain general error handlers for various cases.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!