A well-thought-out server error handling plan during application development is of vital importance in order to prevent information leakage. That’s because an error message is capable of forsaking insightful information about an application’s inner workings. Apart from giving up any information to the attacker, a planned error handling strategy is easier to maintain and saves the application from encountering any buildup of uncaught errors.
How server error messages are harmful
It is common for an application to encounter unexpected behavior but in absence of proper error handling mechanisms, applications by default print a stack trace for the error. The stack trace is debugging information about the error which also includes information about the path of files and often the piece of code where the error originated.
This information can be exploited by the attacker in numerous ways:
- Directory traversal attack: With the error message, it becomes easier for the attacker to know the exact location of the required files by placing the appropriate number of ../ in the path traversal.
- SQL Injection: Even if the best defense mechanisms are in place to prevent injection attacks, information obtained through the query logic code (snippet from server error messages) might reveal to the attacker an innovative way to attack the application.
Mitigating against Server Error Message Disclosure
Mitigation against server error message disclosure is to be employed at both application and server level. Below are mentioned a few examples for doing the same.
When an application shows a user an error, error message should be able to explain the cause of the error. Instead of a normal stack trace which enables an attacker to learn extra information about the system. For example- If a user presses ” ‘ ” by mistake( or intentionally), the application instead of printing complete error details including programming logic must tell “Error caused because of unsupported characters, please check your input”
Another method is the proper input sanitization. Often errors caused in the application are because of some unsupported characters such as ” ” ‘ / < > ” . Proper sanitization techniques must be employed to ensure that no such characters are passed into the application.
Server level error message handling refers to the custom error messages for the application. In the section given below, methods to create custom error messages is given for the most common servers.
Apache web server
All the error handling in the case of the apache server is done using the ErrorDocument tag. Syntax of the tag is ErrorDocument <3-digit-code> <action> . More details about the same can be found on this page.
Microsoft web server
It is not difficult to add custom error pages on an IIS server. Official Microsoft’ guide explains the process in their help section which is as follows.
- Open IIS manager
- In features, view lies Error pages tag
- There is an Add Custom Error page along with a status code box, which requires the user to input the status code for that error page.
- These steps should be followed to properly configure the custom error pages and the following needs to be done in the response action.
- Select Insert content from static file into the error response to serve static content.
- Select Execute a URL on this site to serve dynamic content.
- Select Respond with a 302 redirect to redirect client browsers to a different URL that contains the custom error file.
- In the File Path text box, one needs to enter the path according to the selection made by the user. A more detailed explanation about the same can be found here.
Nginx web server
Following the given steps would enable you to make custom pages for your Nginx servers.
- Create a custom error page in the root directory. (suppose it being 402.html)
- Now one needs to edit the configuration file in the Nginx server, various editors can be used for the purpose such as vim, nano, etc.
If you can not find help for the server your application runs on. Reach out to us for help.
Any application is as secure as its weakest link. Often ignored by developers, custom error pages provides an additional security to the application by hiding the internal structure and in many cases by hiding the logic code implemented by the programmers in the server error messages returned by the application.
At Astra, we have a team of security experts who daily help website owners and developers to secure their website from attackers. Our intelligent firewall providing real-time 24×7 security against bad bots, hackers, malware, XSS, SQL and 80+ attacks.
[…] including Airbnb, Box, Instagram, Netflix, Pinterest, SoundCloud, and Zappos rely on NGINX. Often web servers are the center of attraction for cyber criminals looking to exploit the slightest flaw and steal sensitive information. NGINX has been no exception […]