Saturday, October 19, 2013

Information Leakage and Improper Error Handling

Information leakage and improper error handling used to be in the OWASP Top 10 2004 and 2007. But they have rename to "Security Misconfiguration" since 2010 and with a wider scope.

While doing my online shopping today, I accidentally triggered an SQL query timeout error. The error page review quite a number of information, which can be useful for the programmer to carry out troubleshooting. But best of all, it also provide the hacker with information to carry out the next level of "attack" to the server.

The error page provides table information, file paths that helps in launching SQL injections and XSS attacks.

















The error page also shows the application that the server is using and its version number. Based on the information, the Microsoft .NET framework version is not the latest. It may contains critical vulnerability that allows elevation of privileges and remote code execution.






Planning to inform the Site administrator on this issues and nobody hacked it yet.


1 comment:

Unknown said...

super post...........