IIG University of Freiburg Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 1
Table of Contents Presentation of the vulnerability � Examples � Server Fingerprinting MySQL Error Messages and SQL Injection Recommendations � Conclusion � Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 2
Presentation of the vulnerability ◮ Application can unintentially leak information through application problems • Configuration • Internal workings • Violate privacy ◮ Internal State can be spotted by measuring the duration of a process • Different input may have different time • Error handling can be seen (takes more time) ◮ Most of the information is leaked through error messages • Information can be used to launch powerful attacks Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 3
Description ◮ Some Application display error messages to users • Messages are quite useful to attackers • Reveal implementation details or vulnerability ◮ Too much detailed Error messages • Displays stack traces • Failed SQL statements • debugging information ◮ Functions produce different results based on different inputs • Same Username with different passwords • should produce the same text for “no such User” and “Bad Password” • However many systems produce different codes Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 4
Fingerprinting of Web Server Access Apache configuration ◮ Simple GET gives the list of all installed modules. GET /abcde HTTP/1.1 Host: localhost HTTP/1.1 404 Not Found Date: Fri, 13 Jun 2008 09:10:52 GMT Server: Apache/2.2.8 (Unix) DAV/2 mod ssl/2.2.8 \ OpenSSL/0.9.8e PHP/5.2.5 mod apreq2 − 20051231/2.6.0 \ mod perl/2.0.2 Perl/v5.10.0 Content − Length: 374 Content − Type: text/html; charset=iso − 8859 − 1 X − Pad: avoid browser bug < !DOCTYPE HTML PUBLIC ” − //IETF//DTD HTML 2.0//EN” > < html >< head > < title > 404 Not Found < /title > Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 5 ...
On a production server ◮ Server banner is more restricted Server: Apache ◮ Server can be changed in the httpd.conf • ServerTokens Prod (uctOnly) Server: Apache • ServerTokens Min (imal) Server: Apache/2.2.8 • ServerTokens OS Server: Apache/2.2.8 (Unix) • ServerTokens Full (or not specified) Server: Apache/2.2.8 (Unix) DAV/2 mod_ssl/2.2.8 OpenSSL/0.9.8e\ PHP/5.2.5 mod_apreq2-20051231/2.6.0 mod_perl/2.0.2 Perl/v5.10.0 Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 6
Finger Printing ◮ Apache and IIS leave traces • The order of the HTTP Headers is different • The name of HTTP Headers is sometime different ( Content-length vs. Content-Length ) • HTTP Status Sentence are different 404 Not Found vs. 404 Object Not Found ◮ It can let discover which version you have deployed • And which attack should be tried Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 7
MySQL Error messages Very useful for SQL Injection ◮ Indicates if Magic cookie is installed ◮ Indicates if mysql query() is used or prepared statements ◮ MySQL Error gives a part of the Query An Attacker Needs • The name of the tables • The number of fields (useful for a UNION SELECT ) • The name of some columns Unknown column ’test’ in ’where clause’ • . . . Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 8
Recommendations ◮ Ensure that the entire team shares a common approach ◮ Disable or limit detailed error handling • No debug information • stack traces • or path information ◮ Ensure that secure paths that have multiple outcomes return similar or identical error messages • in the same time • If not possible: wait a random time Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 9
Recommendations (Cont.) ◮ Database or Web Server may return exceptional results • Can be used for exploiting the system • Errors from all layers are adequately checked ◮ Need ONE default error message • Prevent the use of Errors specific to one framework ◮ Makes sur HTTP code is always 200 • Reduce ability of automated scanning tool to determine if a serious error occurred (500 for instance) Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 10
Conclusion ◮ Prefer Logging than Displaying Error Messages • You developers have access to log files, • Attacker don’t ◮ Your application contains multiple layer • Be sure not to let messages from one layer corrupt your site ◮ Security by obscurity is not sufficient ! • But it is an extra layer of security Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 11
References ◮ OWASP Top 10 - 2007 http://www.owasp.org/index.php/Top_10_2007 ◮ A Guide for Building Secure Web Applications and Web Services http://www.lulu.com/content/1401012 Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 12
Recommend
More recommend
