Error Handling Attack & Defense Examples
Here’s an example of an OWASP HTTP 404 Not Found error that reveals sensitive information.
Not Found The requested URL /page.html was not found on this server. Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g DAV/2 PHP/5.1.2 Server at localhost Port 80
This error message is generated when a user requests a URL that doesn’t exist. This code not only informs the user that an error occurred and the file cannot be found, but also provides valuable information about the web server version, operating system, modules, and code used. Attackers can use this information to design attacks.
What is Improper Error Handling?
Error handling is a mechanism used to resolve/handle errors that arise during the execution of a program. Error handling deals with these events to avoid the program or system crashing; exceptions would disrupt the normal flow of an application without this process. Even if an application is completely standalone, there is the potential for a fault with the computer’s storage or RAM that could affect execution. Therefore, during the execution of a program, interferences from errors must be considered while developing them.