Top 10 2007-Information Leakage and Improper Error Handling

Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Applications can also leak internal state via how long they take to process certain operations or via different responses to differing inputs, such as displaying the same error text with different error numbers. Web applications will often leak information about their internal state through detailed or debug error messages.

Environments Affected
All web application frameworks are vulnerable to information leakage and improper error handling.

Vulnerability
Applications frequently generate error messages and display them to users. Many times these error messages are quite useful to attackers, as they reveal implementation details or information that is useful in exploiting a vulnerability. There are several common examples of this:


 * Detailed error handling, where inducing an error displays too much information, such as stack traces, failed SQL statements, or other debugging information.
 * Functions that produce different results based upon different inputs. For example, supplying the same username but different passwords to a login function should produce the same text for no such user, and bad password. However, many systems produce different error codes.

Verifying Security
The goal is to verify that the application does not leak information via error messages or other means.

Automated approaches: Vulnerability scanning tools can and probably will cause error messages to be generated.Static analysis tools can search for the use of APIs that leak information, but will not be able to verify the meaning of those messages. Some of the issues.

Manual approaches: A code review can search for improper error handling and other patterns that leak information, but it is time-consuming. Testing will also generate error messages, but knowing what error paths were covered is a challenge.

Protection
Developers should use tools like OWASP's WebScarab to try to make their application generate errors. Applications that have not been tested in this way will almost certainly generate unexpected error output. Applications should also include a standard exception handling architecture to prevent unwanted information from leaking to attackers.

Preventing information leakage requires discipline. The following practices have proven effective:


 * Ensure that the entire software development team shares a common approach to exception handling.
 * Disable or limit detailed error handling. In particular, do not display debug information to end users, stack traces, or path information.
 * Ensure that secure paths that have multiple outcomes return similar or identical error messages in roughly the same time. If this is not possible, consider imposing a random wait time for all transactions to hide this detail from the attacker.
 * Various layers may return fatal or exceptional results, such as the database layer, the underlying web server (IIS, Apache, etc). It is vital that errors from these layers are adequately checked and configured to prevent error messages from being exploited by intruders
 * Be aware that common frameworks return different HTTP error codes depending on if the error is within your custom code or within the framework’s code. It is worthwhile creating a default error handler which returns an appropriately sanitized error message for most users in production for all error paths.
 * Although security through obscurity, choosing to override the default error handler so that it always returns “200” (OK) error screens reduces the ability of automated scanning tools from determining if a serious error occurred.
 * Some larger organizations have chosen to include random / unique error codes amongst all their applications. This can assist the help desk with finding the correct solution for a particular error, but it may also allow attackers to determine exactly which path an application failed.

Samples

 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4899
 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3389
 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0580