Error Handling Flaws - Information and How to Fix Tutorial 

What Is Improper Error Handling?

It’s not unusual for web applications or databases to generate error messages. In fact, they’re a normal part of operations, and they provide valuable insights into issues and problems. However, improper error handling introduces significant security risks.

The most common vulnerabilities occur when a system reveals detailed error messages or codes generated from stack traces, database dumps, and a wide variety of other problems, including out of memory, null pointer exceptions, and network timeout errors.

Attackers can use this information to exploit flaws and break into systems. In addition, inconsistencies in messages may offer clues about how a site operates and how to exploit it. Improper error handling may result in system crashes, buffer overflows and denial of service attacks. They can also expose sensitive data and information, including passwords.

Ask a Qualified AppSec Expert

Ask in the Community

Rates of Error Handling Flaws in Software


Error Handling Flaw Rates

How Does Improper Error Handling Occur?

Improper error handling results when security mechanisms fail to deny access until it’s specifically granted. This may occur as a result of a mismatch in policy and coding practice. It may also result from code that lacks appropriate error handling logic.

For example, a system may grant access until it’s denied. When users input a set of instructions that the system can’t accommodate, they may receive an error message such as “file not found” or “access denied.” Frequently, the user isn’t supposed to know the file exists. But the message confirms that an inaccessible file or directory structure resides on the system. It’s then possible to use a number of attack methods to gain access to the system.

Anatomy of an Error Handling Attack

An intruder enters different commands and instructions and uses specific error messages to gather information about potential vulnerabilities. Once the intruder has sufficient information, he or she unleashes an attack.

Error Handling Attack and Defense Examples

Here’s an OWASP example of a HTTP 404 Not Found error that reveals sensitive information:

Not Found
The requested URL /page.html was not found on this server.
Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g  DAV/2 PHP/5.1.2 Server at localhost Port 80

This error message is generated when the user requests a non-existent URL. In addition to informing the user that an error has occurred and the file can’t be found, the code delivers valuable information about the web server version, OS, modules, and code used. An attacker can use this information to design an attack.

Here’s an example of a database error that offers attackers insights into the system structure. It’s written in PHP:

try {
//print exception message that includes exception message and configuration file location 
catch (Exception $e) {
echo 'Caught exception: ', $e->getMessage(), '\n';
echo 'Check credentials in config file at: ', $Mysql_config_location, '\n';

This example from demonstrates how an attacker can target a configuration file, such as a Path Traversal weakness. If the attacker is successful in reading the file, this person could gain credentials for accessing the database. At that point, the attacker might replace the actual file with a malicious file. This could result in the application using an arbitrary database.

Preventing Damage and Remediating Code Are Critical

Relying on default settings for generating error messages from servers, operating systems, databases, and web application is inadequate. It’s important to provide error messages that deliver useful information without revealing unnecessary system or application details. This requires security teams to test sites and other resources for various types of errors and understand how they respond. The next step is a detailed code review that examines error handling logic.

Once an organization has identified vulnerabilities, it’s vital to address any gaps or deficiencies, and strive for consistency across all sites, databases, and web applications. OWASP recommends developing specific policies for how to address errors and for determining what information is provided to users who receive error messages. Finally, it’s critical to log errors and analyze the data to help detect flaws as well as possible hacking attempts. For instance, if a log file shows that errors are generating numerous messages from a default exception handler, a code update is likely required.

Veracode Can Aid in the Defense of Improper Error Handling

Veracode Web Application Scanning can safely, accurately, and quickly discover web application flaws, including improper error handling, in running web applications, in either production or pre-production environments.

Veracode Static Analysis can accurately identify error handling vulnerabilities and other flaws in your application and its third-party components and tell your developers exactly where and how to repair them, all without ever looking at the source code.

Our cloud-based application security platform helps you manage your application security program, track progress, and educate your developers on avoiding and repairing improper error handling and other security flaws through integrated eLearning materials.

Secure Coding Handbook

Learn best practices from the pros at Veracode.

Get the Handbook