Upload
ronan-dunne
View
2.755
Download
4
Embed Size (px)
DESCRIPTION
Citation preview
Application Error Codes & Custom Error Pages
Security Issue, Remediation & Fun
Contents• Introduction
• Security Issue
• Examples
• ASP.NET – Error Codes
• Yellow Screen of Death
• Remediation
• Custom Error Codes
Introduction
• Error Codes are very common during Web Application Security tests
• Often seen as a non-security issue
• Easy to remediate
Security Issue
• Error Codes can unveil a lot of information regarding an Application to an attacker
• This includes:– Databases– Bugs– Server Config
Examples• MySQL Error:
– Microsoft OLE DB Provider for ODBC Drivers (0x80004005) [MySQL][ODBC 3.51 Driver]Unknown MySQL server
• Database Error:– Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Access 97 ODBC driver Driver]General error Unable to open registry key 'DriverId‘
• Web Server Error: – Not Found The requested URL /page.html was not found on
this server. Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g DAV/2 PHP/5.1.2 Server at localhost Port 80
ASP.NET – Error Codes
• If a user requests a dynamic resource that does not exist (for example, an ASPX file), then the user sees the default server error message generated by ASP.NET for HTTP 404 errors:
• If an unhandled exception occurs in the application, then the user sees the default server error message generated by ASP.NET for HTTP 500 errors:
Yellow Screen of Death
• ASP.NET web application developers call these the "Yellow Screen of Death" (YSOD)
• Similar to this traffic light, Users and Developers are unaware of the risk these errors can have
Remediation
• Add error pages for 404 and 500 error codes from within the application configuration file (web.config)
• This instruct IIS to use the specified custom pages for these error codes
Custom Error Codes