error codes & custom 404s

Application Error Codes & Custom Error Pages

Security Issue, Remediation & Fun

Contents• Introduction

• Security Issue

• Examples

• ASP.NET – Error Codes

• Yellow Screen of Death

• Remediation

• Custom Error Codes

Introduction

• Error Codes are very common during Web Application Security tests

• Often seen as a non-security issue

• Easy to remediate

Security Issue

• Error Codes can unveil a lot of information regarding an Application to an attacker

• This includes:– Databases– Bugs– Server Config

Examples• MySQL Error:

– Microsoft OLE DB Provider for ODBC Drivers (0x80004005) [MySQL][ODBC 3.51 Driver]Unknown MySQL server

• Database Error:– Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC Access 97 ODBC driver Driver]General error Unable to open registry key 'DriverId‘

• Web Server Error: – Not Found The requested URL /page.html was not found on

this server. Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g DAV/2 PHP/5.1.2 Server at localhost Port 80

ASP.NET – Error Codes

• If a user requests a dynamic resource that does not exist (for example, an ASPX file), then the user sees the default server error message generated by ASP.NET for HTTP 404 errors:

• If an unhandled exception occurs in the application, then the user sees the default server error message generated by ASP.NET for HTTP 500 errors:

Yellow Screen of Death

• ASP.NET web application developers call these the "Yellow Screen of Death" (YSOD)

• Similar to this traffic light, Users and Developers are unaware of the risk these errors can have

Remediation

• Add error pages for 404 and 500 error codes from within the application configuration file (web.config)

• This instruct IIS to use the specified custom pages for these error codes

Custom Error Codes