Error Messages Overview

Think about these questions.

* Why are Error Conditions and Error Messages a security problem?
* What’s wrong with error conditions?
* Wouldn’t an administrator want the most amount of information provided to use that error message to determine the problem?

Typically during the Testing process error messages are encouraged. Error Messages help in narrowing down the problems and isolated the issues. A malicious user will also use these error messages and conditions. Error messages provide additional information to the malicious user in determining the architecture of the product. An error message can give out too much information.
What should error messages NOT display

An error message should NOT display an entire exception describing what the entire process of code function calls occurred to generate the error exception. Java based programs, and web applications typically do this by default. If an error is hit, an exception is thrown, and it might be echo’d out to the browser or console.

Error messages should not display a specific error describing what error has occurred. For example picture a login box asking the user to enter a user name and password. If an incorrect password is entered, and an error message states, sorry wrong password please try again. What has the malicious user just learned? The password was incorrect right. Think what else that malicious user has learned. He/she has learned that the user name was correct. The malicious user has just discovered that although the password was incorrect, the user name was correct. Instead of the specific message stating where the problem was, the error message should state the user name and/or password you entered is invalid, please try again. This simple change will not allow a malicious user to discover information about your user store on the back end.

Error messages also include the http error status code. Sometimes a http error status code can give additional information that could be used in isolated and determining the architecture of a given software application.

Error messages should never display information about the underlying database. A black hat hacker could use this information to determine what the underlying database structure looks like and possibly use this in some SQL injection attack. Additionally it could provide information regarding what type of database you are running, versions, and all sorts of other sensitive information.

Explore More

Blind SQL Injection and XSS Vulnerability in MyRingTune

PlanetCreator reported another critical SQL injection (vulnerability) on MyRingTune  URL : http://www.myringtuneonline.com SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of

Read More

Expert Tips for Keeping Google Hacks at Bay

The first step for protecting yourself from something is knowing how that something works. In the case of Google hacking, you will have to learn how it can be used

Read More

System User on XP

Here is the article on the available ways to logon/scalate to SYSTEM user on XP… Enjoy Logon as “NT AUTHORITY\SYSTEM” user on Windows XP %% BY EDU %% [-Introduction-]Windows XP

Read More