Server Error Message Disclosure

A well-thought-out server error handling plan during application development is of vital importance in order to prevent information leakage. That’s because an error message is capable of forsaking insightful information about an application’s inner workings. Apart from giving up any information to the attacker, a planned error handling strategy is easier to maintain and saves the application from encountering any buildup of uncaught errors.

Server Error Message Disclosure
Sample server error message

How server error messages are harmful

It is common for an application to encounter unexpected behavior but in absence of proper error handling mechanisms, applications by default print a stack trace for the error. The stack trace is debugging information about the error which also includes information about the path of files and often the piece of code where the error originated.

This information can be exploited by the attacker in numerous ways:

  1.  Directory traversal attack: With the error message, it becomes easier for the attacker to know the exact location of the required files by placing the appropriate number of ../ in the path traversal.
  2. SQL Injection: Even if the best defense mechanisms are in place to prevent injection attacks, information obtained through the query logic code (snippet from server error messages) might reveal to the attacker an innovative way to attack the application.

Mitigating against Server Error Message Disclosure

Mitigation against server error message disclosure is to be employed at both application and server level. Below are mentioned a few examples for doing the same.

Application Level

When an application shows a user an error, error message should be able to explain the cause of the error. Instead of a normal stack trace which enables an attacker to learn extra information about the system. For example- If a user presses ” ” by mistake( or intentionally), the application instead of printing complete error details including programming logic must tell “Error caused because of unsupported characters, please check your input”

Another method is proper input sanitization. Often errors caused in the application are because of some unsupported characters such as ” ” ‘ / < > ” . Proper sanitization techniques must be employed to ensure that no such characters are passed into the application.

Server Level

Server level error message handling refers to the custom error messages for the application. In the section given below, methods to create custom error messages is given for the most common servers.

  1. Apache web server

    All the error handling in case of apache server is done using the ErrorDocument tag. Syntax of the tag is ErrorDocument <3-digit-code> <action> . More details about the same can be found on this page.

  2. Microsoft web server

    It is not difficult to add custom error pages on an IIS server. Official Microsoft’ guide explains the process in their help section which is as follows.

    1. Open IIS manager
    2. In features, view lies Error pages tag
    3. There is an Add Custom Error page along with a status code box, which requires the user to input the status code for that error page.
    4. These steps should be followed to properly configure the custom error pages and the following needs to be done in the response action.
      1. Select Insert content from static file into the error response to serve static content.
      2. Select Execute a URL on this site to serve dynamic content.
      3. Select Respond with a 302 redirect to redirect client browsers to a different URL that contains the custom error file.
    5. In the File Path text box, one needs to enter the path according to the selection made by the user. A more detailed explanation about the same can be found here.
  3. Nginx web server

    Following the given steps would enable you to make custom pages for your Nginx servers.

    1. Create a custom error page in the root directory. (suppose it being 402.html)
    2. Now one needs to edit the configuration file in the Nginx server, various editors can be used for the purpose such as vim, nano etc
      # vi /etc/nginx/sites-available/default Or if it does not works # vi /usr/local/nginx/conf/nginx.conf
    3. Now the configuration files needs to be edited in the following way
      ,error_page 403 /403.html; location = /403.html  {  //This is the location because file lies in the root directory.  root html; allow all; internal;   //This disables users from directly fetching error pages }

If you can not find help for the server your application runs on. Reach out to us for help.

Any application is as secure as its weakest link. Often ignored by developers, custom error pages provides an additional security to the application by hiding the internal structure and in many cases by hiding the logic code implemented by the programmers in the server error messages returned by the application.

Astra

At Astra, we have a team of security experts who daily help website owners and developers to secure their website from attackers. Our intelligent firewall providing real-time 24×7 security against bad bots, hackers, malware, XSS, SQL and 80+ attacks.

Take an Astra Demo now.

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Shubham Agarwal

A linux user who crashes his machine more that using it. Passionate about cyber security and digger of good food. Expect faster replies on stackoverflow than facebook.

1 Comment

  1. Top 3 Most Critical Nginx Vulnerabilities Found - Astra Web Security Blog - Reply

    […] including Airbnb, Box, Instagram, Netflix, Pinterest, SoundCloud, and Zappos rely on NGINX. Often web servers are the center of attraction for cyber criminals looking to exploit the slightest flaw and steal sensitive information. NGINX has been no exception […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close