Information Leakage and Improper Error Handling

Problem and Protection

I bought InspectionReportingSoftware.com

I sent this email From: contactus@XXXXXXX.com [mailto:contactus@XXXXXXX.com] Sent: Thursday, February 18, 2010 1:32 PM To: contactus@XXXXXX.com Subject: [XXXXXXX] Contact Us Submitted From: Rap Payne rap@creator.net 9723065665 Can I change my username/password? How? I don't see it.

I got these instructions From: Tony Reynolds [mailto:tony@XXXXXXX.com] Sent: Thursday, February 18, 2010 2:52 PM To: rap@creator.net Cc: contactus@XXXXXXX.com Subject: RE: [XXXXXXX] Contact Us Submitted Hi Rap, Right now, you can't change your username but you can change your password if you go to the login page (click logout if you are currently logged in) and click the "forgot password" link and follow the instructions. You'll enter the username and we'll email you a link that will let you come back in and change the password. Tony XXXXXXX.com

… to which I responded … From: Rap [mailto:rap@creator.net]

Sent: Thursday, February 18, 2010 2:01 PM To: 'Tony XXXXXXX'

Subject: RE: [XXXXXXX] Contact Us Submitted

Fair enough. Thank you, Tony.

Unfortunately, when I try it, I get this ...

Yikes! Server Error in '/' Application. ---------------------------------------------------------------------

The SMTP host was not specified.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.InvalidOperationException: The SMTP host was not specified.

Source Error:

Line 36:

Line 37: SmtpClient smtp = new SmtpClient();

Line 38: smtp.Send(mm);

Line 39: }

Line 40: catch (Exception e)

Source File: d:\XXXXXXX\XXXXXXLight\App_Code\EmailUtils.cs Line:38

… but wait, there’s more … Stack Trace: [InvalidOperationException: The SMTP host was not specified.]

System.Net.Mail.SmtpClient.CheckHostAndPort() +887569

System.Net.Mail.SmtpClient.Send(MailMessage message) +431

EmailUtils.SendMessage(String to, String subject, String bodyText, String

bodyHTML) in d:\XXXXXXX\XXXXXXXLight\App_Code\EmailUtils.cs:38

[Exception: unable to send mail to rap@creator.net]

EmailUtils.SendMessage(String to, String subject, String bodyText, String

bodyHTML) in d:\XXXXXXXt\XXXXXXXLight\App_Code\EmailUtils.cs:43

ASP.forgotpassword_aspx.__RenderContent1(HtmlTextWriter __w, Control

parameterContainer) in d:\XXXXXXX\XXXXXXXLight\ForgotPassword.aspx:160

<snip />

ASP.namebrightlight_master.__Render__control1(HtmlTextWriter __w, Control

parameterContainer) in

c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\ae3260a5\93963722\App_Web_sm1wictf.2.cs:0 <snip />

----------------------------------------------------------------------------

Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433

… and finally … Your tech guys should probably specify the SMTP client with optional usernames and passwords. They should also probably set web.config to say "CustomErrors=RemoteOnly".

Can you shoot me an email when you get that fixed, please?

Rap

His reply From: Tony XXXXXXX [mailto:tony@XXXXXXX.com] Sent: Thursday, February 18, 2010 3:24 PM

To: 'Rap' Subject: RE: [XXXXXXX] Contact Us Submitted

Thanks Rap!

I appreciate the bug report. It's fixed now, try it again...

-Tony

Information Leakage and Improper Error Handling

o  OWASP’s 2007 A6 Vulnerability o  Dropped out in 2010 & 2013 o  When apps leak information about

•  Configuration •  Internal workings •  Current state •  Privacy

How attackers do it

o  Use automated tools to surf with a variety of inputs and click paths

o  Scan for errors o  Scan for hidden HTML tags o  They then use that information to do other

nefarious things

How we protect ourselves

o  Remove comments in HTML and JavaScript o  Remove non-visible HTML tags o  Don’t expose error numbers or types o  Display a custom error page o  Look for and remove logic vulnerabilities that

expose information o  Change code reviews to look for these things

Remove comments in HTML/JavaScript

o  Business and technical details are often in comments

o  We assume nobody will ever see them o  HTML comment <!-- if image fails to load, restart 192.168.0.110 -->

o  JavaScript comment //Change next line to 'development' when testing!

Remove non-visible HTML tags

o  Forms tags can be tampered with o  Data is exposed in hidden tags: <form ...>

<input type="text" id="txtFavColor" value="purple" />

<input type="hidden" id="userID" value="lovelolcatz" /> <input type="hidden" id="email" value="cat@aol.com" />

</form>

Don’t expose error numbers or types

o  Common practice is to generalize the message to the user but show error message •  Solution: Never report SQL error numbers, nor

raw Exception types

Use a generic error page

o  Always return a 200 OK page •  The text can specify the error, but it doesn’t tip off

vulnerability scanners •  Human-readable, but not flagged to exploit tools

o  Change web.config (3.5 SP1 - up): <configuration>

<location allowOverride="false"> <system.web>

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.html" />

</system.web> </location>

</configuration>

Find/remove logic vulnerabilities

o  Example: forgot password logic 1.  Prompt user for his username & email

•  If combination is valid go to step 2 •  If not, have him re-enter

2.  Display that an email was sent 3.  Email user a link allowing him to change his

password o  What could be wrong with that?

Code reviews should look for these things

o  Error messages are easy to see

o  Logic errors are much sneakier

Additional tips

o  Add random sleep times to all error messages where errors may occur •  Vulnerability scanners use unusual wait times as

an indication of an error •  They can be tricked if all successes and errors

have weird response times o  Make sure you’re hiding details at all levels

•  Web servers, database layer, Web service responses, etc.

Summary

o  Information leakage provides more ammo that attackers can use against us

o  To plug those holes, use generic error pages and remove all hidden data from http responses

o  We should also use code reviews to find sneaky logic errors

Further study

o  Best practices with custom error pages •  http://bit.ly/CustomErrorPages

o  Creating Custom ASP Error Pages •  http://bit.ly/CreatingCustomErrorPages

o  Top 10 web vulnerability scanning tools •  http://bit.ly/VulnerabilityScanners

o  Tool to expose a site's stack •  http://pageXRay.com/site/yoursite.com.htm