Error Handling Cheat Sheet



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- Last revision (mm/dd/yy): //
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

= Introduction =

Error handling is a part of the overwall security of an application. Except in movies, an attack always begin by a Reconnaissance phase in which the attacker will try to gather as many technical information (often name and version properties) as possible about the target like for example the application server, the technologies, the frameworks, the libraries...

So, if errors are not well handled then it can highly facilitate the work for an attacker into this initial phase that is very important for the rest of the whole attack.

This link provide an example of description of the differents phases of an attack.

= Context =

Issues at error handling level can reveal many information about the target and can be also used to identify injection point into the target's features.

Example of disclosure of technologies stack, here Struts2 and Tomcat version, via an exception rendered to the user:

HTTP Status 500 - For input string: "null"

type Exception report

message For input string: "null"

description The server encountered an internal error that prevented it from fulfilling this request.

exception

java.lang.NumberFormatException: For input string: "null" java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) java.lang.Integer.parseInt(Integer.java:492) java.lang.Integer.parseInt(Integer.java:527) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:606) com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:450) com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(DefaultActionInvocation.java:289) com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:252) org.apache.struts2.interceptor.debugging.DebuggingInterceptor.intercept(DebuggingInterceptor.java:256) com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) ...

note: The full stack trace of the root cause is available in the Apache Tomcat/7.0.56 logs.

Example of disclosure of SQL query error, along the site installation path, that is useful to identify injection point:

Warning: odbc_fetch_array expects parameter 1 to be resource, boolean given in D:\app\index_new.php on line 188

The OWASP Testing Guide provide differents technics to obtains technical informations from an application.

= Objective =

The article show how to configure a global error handler at configuration level when possible otherwise at code level, in differents technologies, in order to ensure that if an unexpected error occur then a generic message is returned by the application but the error is traced on server side for investigation.



As most of the recent application topology are "API based", we assume here that the backend expose only REST API and do not contains any user interface content.

About the error logging operation itself, the logging cheat sheet should be used. This article will focus on the error handling part

= Proposition =

For each technologies, a setup will be proposed with configuration and code snippet.

Java classic web application
For this kind of application, a global error handler can be configured at web.xml deployment descriptor level.

We propose here a configuration that can be used from Servlet specification version 2.5 and above.

With this configuration, any unexpected error will cause a redirection to the page error.jsp in which the error will be traced and a generic error response will be returned.

Configuration of the redirection into the web.xml file:

Content of the error.jsp file:

Java SpringMVC/SpringBoot web application
With SpringMVC or SpringBoot, you can define a global error handler by simply implementing this kind of class into your project.

We indicate, via the annotation ExceptionHandler, to the handler to act when any exception extending the class java.lang.Exception is throwed by the application.

References:


 * http://www.baeldung.com/exception-handling-for-rest-with-spring
 * https://www.toptal.com/java/spring-boot-rest-api-error-handling

ASP.NET Core web application
With ASP.NET Core, you can define a global error handler by indicating that the exception handler is a dedicated API Controller.

Content of the API Controller dedicated to the error handling:

Definition in the application Startup.cs file of the mapping of the exception handler to the dedicated error handling API controller:

References:


 * https://docs.microsoft.com/en-us/aspnet/core/fundamentals/error-handling?view=aspnetcore-2.1

ASP.NET Web API web application
With ASP.NET Web API, you can define and register handlers in order to trace and handle any error that occurs in the application.

Definition of the handler for the tracing of the error details:

Definition of the handler for the management of the error in order to return a generic response:

Registration of the both handlers in the application WebApiConfig.cs file:

References:


 * https://exceptionnotfound.net/the-asp-net-web-api-exception-handling-pipeline-a-guided-tour/

= Sources of the prototype =

The source code of all the sandbox projects created to find the right setup to use is stored into this GitHub repository:

https://github.com/righettod/poc-error-handling

= Authors and Primary Editors =

Dominique Righetto - dominique.righetto@owasp.org

= Other Cheatsheets =


 * }