Upload
rap-payne
View
197
Download
1
Embed Size (px)
DESCRIPTION
Part of the Web Application Security Course
Citation preview
Information Leakage and Improper Error Handling
Problem and Protection
I bought InspectionReportingSoftware.com
I sent this email From: [email protected] [mailto:[email protected]] Sent: Thursday, February 18, 2010 1:32 PM To: [email protected] Subject: [XXXXXXX] Contact Us Submitted From: Rap Payne [email protected] 9723065665 Can I change my username/password? How? I don't see it.
I got these instructions From: Tony Reynolds [mailto:[email protected]] Sent: Thursday, February 18, 2010 2:52 PM To: [email protected] Cc: [email protected] Subject: RE: [XXXXXXX] Contact Us Submitted Hi Rap, Right now, you can't change your username but you can change your password if you go to the login page (click logout if you are currently logged in) and click the "forgot password" link and follow the instructions. You'll enter the username and we'll email you a link that will let you come back in and change the password. Tony XXXXXXX.com
… to which I responded … From: Rap [mailto:[email protected]]
Sent: Thursday, February 18, 2010 2:01 PM To: 'Tony XXXXXXX'
Subject: RE: [XXXXXXX] Contact Us Submitted
Fair enough. Thank you, Tony.
Unfortunately, when I try it, I get this ...
Yikes! Server Error in '/' Application. ---------------------------------------------------------------------
The SMTP host was not specified.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.InvalidOperationException: The SMTP host was not specified.
Source Error:
Line 36:
Line 37: SmtpClient smtp = new SmtpClient();
Line 38: smtp.Send(mm);
Line 39: }
Line 40: catch (Exception e)
Source File: d:\XXXXXXX\XXXXXXLight\App_Code\EmailUtils.cs Line:38
… but wait, there’s more … Stack Trace: [InvalidOperationException: The SMTP host was not specified.]
System.Net.Mail.SmtpClient.CheckHostAndPort() +887569
System.Net.Mail.SmtpClient.Send(MailMessage message) +431
EmailUtils.SendMessage(String to, String subject, String bodyText, String
bodyHTML) in d:\XXXXXXX\XXXXXXXLight\App_Code\EmailUtils.cs:38
[Exception: unable to send mail to [email protected]]
EmailUtils.SendMessage(String to, String subject, String bodyText, String
bodyHTML) in d:\XXXXXXXt\XXXXXXXLight\App_Code\EmailUtils.cs:43
ASP.forgotpassword_aspx.__RenderContent1(HtmlTextWriter __w, Control
parameterContainer) in d:\XXXXXXX\XXXXXXXLight\ForgotPassword.aspx:160
<snip />
ASP.namebrightlight_master.__Render__control1(HtmlTextWriter __w, Control
parameterContainer) in
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\ae3260a5\93963722\App_Web_sm1wictf.2.cs:0 <snip />
----------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433
… and finally … Your tech guys should probably specify the SMTP client with optional usernames and passwords. They should also probably set web.config to say "CustomErrors=RemoteOnly".
Can you shoot me an email when you get that fixed, please?
Rap
His reply From: Tony XXXXXXX [mailto:[email protected]] Sent: Thursday, February 18, 2010 3:24 PM
To: 'Rap' Subject: RE: [XXXXXXX] Contact Us Submitted
Thanks Rap!
I appreciate the bug report. It's fixed now, try it again...
-Tony
Information Leakage and Improper Error Handling
o OWASP’s 2007 A6 Vulnerability o Dropped out in 2010 & 2013 o When apps leak information about
• Configuration • Internal workings • Current state • Privacy
How attackers do it
o Use automated tools to surf with a variety of inputs and click paths
o Scan for errors o Scan for hidden HTML tags o They then use that information to do other
nefarious things
How we protect ourselves
o Remove comments in HTML and JavaScript o Remove non-visible HTML tags o Don’t expose error numbers or types o Display a custom error page o Look for and remove logic vulnerabilities that
expose information o Change code reviews to look for these things
Remove comments in HTML/JavaScript
o Business and technical details are often in comments
o We assume nobody will ever see them o HTML comment <!-- if image fails to load, restart 192.168.0.110 -->
o JavaScript comment //Change next line to 'development' when testing!
Remove non-visible HTML tags
o Forms tags can be tampered with o Data is exposed in hidden tags: <form ...>
<input type="text" id="txtFavColor" value="purple" />
<input type="hidden" id="userID" value="lovelolcatz" /> <input type="hidden" id="email" value="[email protected]" />
</form>
Don’t expose error numbers or types
o Common practice is to generalize the message to the user but show error message • Solution: Never report SQL error numbers, nor
raw Exception types
Use a generic error page
o Always return a 200 OK page • The text can specify the error, but it doesn’t tip off
vulnerability scanners • Human-readable, but not flagged to exploit tools
o Change web.config (3.5 SP1 - up): <configuration>
<location allowOverride="false"> <system.web>
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.html" />
</system.web> </location>
</configuration>
Find/remove logic vulnerabilities
o Example: forgot password logic 1. Prompt user for his username & email
• If combination is valid go to step 2 • If not, have him re-enter
2. Display that an email was sent 3. Email user a link allowing him to change his
password o What could be wrong with that?
Code reviews should look for these things
o Error messages are easy to see
o Logic errors are much sneakier
Additional tips
o Add random sleep times to all error messages where errors may occur • Vulnerability scanners use unusual wait times as
an indication of an error • They can be tricked if all successes and errors
have weird response times o Make sure you’re hiding details at all levels
• Web servers, database layer, Web service responses, etc.
Summary
o Information leakage provides more ammo that attackers can use against us
o To plug those holes, use generic error pages and remove all hidden data from http responses
o We should also use code reviews to find sneaky logic errors
Further study
o Best practices with custom error pages • http://bit.ly/CustomErrorPages
o Creating Custom ASP Error Pages • http://bit.ly/CreatingCustomErrorPages
o Top 10 web vulnerability scanning tools • http://bit.ly/VulnerabilityScanners
o Tool to expose a site's stack • http://pageXRay.com/site/yoursite.com.htm