6/21/24, 10:46 AM Error Handling Flaws - Information and How to Fix | Veracode

Application Security
Basics APPLICATION SECURITY

AppSec Policies
Knowledge Base
Search Our Knowledge Base
Advanced Application Search our knowledge base...
Security
AppSec Knowledgebase Categories >

Development

Web Application Flaws

Home AppSec Knowledgebase Error Handling Flaws Reading Time: 6
& Vulnerabilities
min(s)

Remediation Guidance
Error Handling Flaws - Information
and How to Fix Tutorial
Miscellaneous Understanding error messages is an important part of web application
development and troubleshooting. Error messages provide valuable information
to the developer when something goes wrong, allowing them to fix problems
with their application and improve the user experience. Unfortunately, when
errors are not handled in a secure manner, they can expose sensitive
information – sometimes leading to vulnerabilities – to attackers.

What Is Improper Error Handling?

Improper error handling flaws occur when an error message that’s displayed to
an end user provides clues about how an application or website operates.
Although messages like this can help developers fix problems on their sites,
they also show attackers information that they can use to help them break into
what should be secured areas. For example, an error message that includes
information on the structure of a SQL database table may give attackers
everything they need to know in order to carry out a successful SQL injection
attack. In some cases, improper error handling can even directly expose the
data attackers want, such as passwords.

https://www.veracode.com/security/error-handling-flaws-information-and-how-fix-tutorial 1/7
6/21/24, 10:46 AM Error Handling Flaws -Ask
Information
in theand How to Fix | Veracode
Community

Ask an Application Security Expert

Improper error handling can lead to serious consequences for any organization,
including data leaks and many other exploits. If you’re curious about the risks
from improper error handling flaws in your code, the rest of this article explains
how to protect against this threat. If you have a more specific question, you can
also ask for advice in the Veracode Community, our active forum of application
security experts.

Rates of Error Handling Flaws in Software

When Does Improper Error Handling

Occur?
Whenever error messages contain details that might be useful to an attacker,
that’s evidence of Improper Error Handling. In many cases, improper error
handling is a result of using default error handlers. These messages may include
detailed information about a file system or even just acknowledge that hidden
files and directories exist.

The following are examples of error handling flaws:

A message that includes server software version details

A message that reveals where a configuration file holding credential

information is located

https://www.veracode.com/security/error-handling-flaws-information-and-how-fix-tutorial 2/7
6/21/24, 10:46 AM An authentication error
Error Handling Flawsmessage that
- Information andbehaves
How to Fix differently
| Veracode when the user
identifier exists than when it does not

Anatomy of an Error Handling Attack

Error handling flaws don't cause harm by themselves. Rather, they allow
attackers to uncover vulnerabilities or angles of attack they can use to exploit
other system flaws.

This makes error handling attacks a type of reconnaissance, where attackers

analyze web applications or other systems for weak points before breaking in
and stealing data or causing damage. Another way to think of this is akin to
attackers "testing the fence" before selecting the weakest point to break
through.

Example of Improper Error Handling

Here is an example SQL error message:

Warning: uncaught exception error in D:pagesauthenticat

Because the message includes a file location, attackers have added more details
to their knowledge about the website's structure. Worse, the filename
"authenticate-new" implies the existence of an "authenticate" as well. If this
older file is still on the server and is less secure, attackers may be able to use it
to get access they should not have.

Error Handling Attack and Defense

Examples
Here’s an OWASP example of a HTTP 404 Not Found error that reveals sensitive
information:

1 Not Found

2 The requested URL /page.html was not found on this

https://www.veracode.com/security/error-handling-flaws-information-and-how-fix-tutorial 3/7
6/21/24, 10:46 AM Error Handling Flaws - Information and How to Fix | Veracode

This error message is generated when the user requests a non-existent URL. In
addition to informing the user that an error has occurred and the file can’t be
found, the code delivers valuable information about the web server version, OS,
modules, and code used. An attacker can use this information to design an
attack.

Here’s an example of a database error that offers attackers insights into the
system structure. It’s written in PHP:

1 try {

2 openDbConnection();

3 }

4 //print exception message that includes exception m

5 catch (Exception $e) {

6 echo 'Caught exception: ', $e->getMessage(), '\n';

7 echo 'Check credentials in config file at: ', $Mysq

8 }

This example from Mitre.org demonstrates how an attacker can target a

configuration file, such as a Path Traversal weakness. If the attacker is successful
in reading the file, this person could gain credentials for accessing the database.
At that point, the attacker might replace the actual file with a malicious file. This
could result in the application using an arbitrary database.

How to Prevent Improper Error Handling

Many error handling flaws come from default error handlers, which tend to
provide more information than is necessary for users. Finding and replacing
these error handlers with more secure approaches is an important first step to a

https://www.veracode.com/security/error-handling-flaws-information-and-how-fix-tutorial 4/7
 message to users one that avoids revealing sensitive information.
6/21/24, 10:46 AM Error Handling Flaws - Information and How to Fix | Veracode
Another important aspect of error handling is consistency. Developers should
carry out a detailed code review of error handling logic in their system and
ensure proper error handling throughout. OWASP defines proper error handling
as that which provides "a meaningful error message to the user, diagnostic
information to the site maintainers, and no useful information to an attacker"
and recommends writing specific policies for error handling that can achieve
these things.

Find and Fix Error Handling Flaws With

Veracode
Veracode's cloud-based application security solution offers many opportunities
to find and fix security flaws before they can harm an organization's customers
and damage its reputation. Here are a few of the ways Veracode can be used to
take care of improper error handling flaws.

Web-Application Scanning
Web-application scanning, also known as dynamic analysis, is a type of test that
runs while an application is in a development environment. Dynamic analysis is
a great way to uncover error-handling flaws. Veracode's dynamic analysis scan
automates the process, returning detailed guidance on security flaws to help
developers fix them for good.

Static Analysis
Unlike web-application scanning, static analysis looks at the code of an
application without having to run it. While this process often requires access to
the application's source code, Veracode's binary static analysis tool scans the
binary (or executable) code instead, meaning customers can find flaws in parts
of their application to which they don't have source code.

Application Analysis and Developer Enablement

Veracode's application analysis products are modular, with a centralized cloud-
based platform that makes it easy for developers to view their entire
application's security situation in one place. Our security solutions can also be
implemented in an organization's existing application development workflow
with one of our more than 40 integrations. We use IDEs and other application
development software.

https://www.veracode.com/security/error-handling-flaws-information-and-how-fix-tutorial 5/7
6/21/24, 10:46 AM Error Handling
Veracode is more than justFlaws - Informationsecurity
a software and How to Fix | Veracode
scanning system. Our cloud-
based tools provide developers with in-context guidance that teaches them
best practices at the same time making software more secure. We also provide
eLearning solutions, such as expert-led online workshops and self-paced
training. Check out our catalog of application security practices today or
download our free handbook on secure coding best practices to get started.

Secure Coding Handbook

A developer’s guide to delivering safer code faster in the cloud and on premises.

Get the Handbook

Products

Solutions

https://www.veracode.com/security/error-handling-flaws-information-and-how-fix-tutorial 6/7
6/21/24, 10:46 AM Error Handling Flaws - Information and How to Fix | Veracode

Company

© 2024 Veracode. All Rights Reserved.

Legal - Privacy Terms of Use Cookies Settings

https://www.veracode.com/security/error-handling-flaws-information-and-how-fix-tutorial 7/7