Error Messages Overview

Think about these questions.

* Why are Error Conditions and Error Messages a security problem?
* What’s wrong with error conditions?
* Wouldn’t an administrator want the most amount of information provided to use that error message to determine the problem?

Typically during the Testing process error messages are encouraged. Error Messages help in narrowing down the problems and isolated the issues. A malicious user will also use these error messages and conditions. Error messages provide additional information to the malicious user in determining the architecture of the product. An error message can give out too much information.
What should error messages NOT display

An error message should NOT display an entire exception describing what the entire process of code function calls occurred to generate the error exception. Java based programs, and web applications typically do this by default. If an error is hit, an exception is thrown, and it might be echo’d out to the browser or console.

Error messages should not display a specific error describing what error has occurred. For example picture a login box asking the user to enter a user name and password. If an incorrect password is entered, and an error message states, sorry wrong password please try again. What has the malicious user just learned? The password was incorrect right. Think what else that malicious user has learned. He/she has learned that the user name was correct. The malicious user has just discovered that although the password was incorrect, the user name was correct. Instead of the specific message stating where the problem was, the error message should state the user name and/or password you entered is invalid, please try again. This simple change will not allow a malicious user to discover information about your user store on the back end.

Error messages also include the http error status code. Sometimes a http error status code can give additional information that could be used in isolated and determining the architecture of a given software application.

Error messages should never display information about the underlying database. A black hat hacker could use this information to determine what the underlying database structure looks like and possibly use this in some SQL injection attack. Additionally it could provide information regarding what type of database you are running, versions, and all sorts of other sensitive information.

Explore More

Rooting webhost

r00ting a webhost Introduction: Well taking over a host isnt as easy as you may think. There is a fairly big process involved and a lot of fidiling around. Below

Read More

Critical XSS Vulnerability in http://shwephonecard.com registered parent company is “MMM Network L.L.C.”

PlanetCreator.Net’s Security Team Member Info Freakzz <infofreakzzz(at)gmail.com> has reported another critical XSS vulnerability on http://www.shwephonecard.com  registered parent company is “MMM Network L.L.C.” These are some information from Vulneral Site http://www.shwephonecard.com:

Read More

Critical XSS vulnerability in YouthDreams.Net

Security Researcher $@T0R! reported another XSS vulnerability in http://www.youthdreams.net Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject

Read More