Analysis about error codes

From OWASP
Revision as of 09:05, 7 September 2006 by Carlo.pelliccioni (Talk | contribs)

Jump to: navigation, search

Many times during a penetration test for web applications we come up against many error codes generated from applications or web servers. These codes are a good opportunity for pentester during his activities because they reveal a lot of information about databases, bugs, and other technological components directly linked with web applications. During the first part we'll analyze the more common codes (error messages) and we'll bring intofocus the steps of vulnerability assessment.

The more common error that we can see is the 404 Not Found. Often we can see this error code with many details about web server and other components. For Example:

Not Found The requested URL /page.html was not found on this server.

Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g DAV/2 PHP/5.1.2 Server at localhost Port 80

This error message can be generated with the insertion of not existing URL. After the common message that shows a not found page, there are information about web server version, OS, modules and other products used. These information can be very important both for OS and for applications penetration test but web server errors aren't the only ones useful in a security analysis.

So, we'll analyze the next occurrence that shows an abnormal behavior:

Microsoft OLE DB Provider for ODBC Drivers (0x80004005) [DBNETLIB][ConnectionOpen(Connect())] - SQL server does not exist or access denied

What's happened? We'll proceed step by step!

The 80004005 is a generic IIS error code which indicates that isn't possible data access to database. In many cases we can see that this code is followed by the version of the database so, the pentester with this information can plan an appropriate strategy for the security test.

Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Access 97 ODBC driver Driver]General error Unable to open registry key 'DriverId'.

The first example shows a connection error message obtained by SQL Server Database because the database server which linked into application is down or credentials don't allow access. In this case we could verify if the web application permits change of variables value to connect to the database. In the second case we can see a generic error in the same situation (we know the database version) but with a different error message and database server. But in the end...It's the same thing!

And now, we do a practical example about a security test on web application that looses the link with the database server because there is a bad writing of code (the next error message is caused by the application which can't resolve the database server name or when the variable value is modified) or other network problems.

For example, we have a database administration web portal which can be connected to db server after a log-on phase to realize query,create tables and modify database fields. Well, during POST of credentials for the log-on phase meet this message that evidences the presence of a MySQL database server:

Microsoft OLE DB Provider for ODBC Drivers (0x80004005) ' [MySQL][ODBC 3.51 Driver]Unknown MySQL server host

If we see in the HTML code of the log-on page the presence of a hidden field with a database IP, we can try to change this value in the URL with the address of another database (our database for example). Another example: knowing the database server that runs with a web application I can take advantage of this information to carry out a Sql Injection for that kind of database or a persistent XSS.

Information Gathering on web applications with server side technology is quite difficult so, all that we find on our way, it can be useful for the correct execution of the activities.