Scribd
Upload
13 views47 pages

13.error Handling and Logging

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views47 pages

13.error Handling and Logging

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 47

OUTLINE

Search ...

mr.=,.
r ---- .
..... ',..,. •
Error Hartdhng arid
Log ging

. r:=i 13. Error Handling and

c:J
Logging

13.1. lnlroduclion

Labs

Video: Error Handling


and Logging
-
1!3. Error. BanClling anCI l!ogging
- -
§]
REF
,~!, _
. LABS VIDEO
OUTLINE

Search ...

Error Handling and


Logging

.,.. •. 13 Error Handling and


Loggmg

r=::1
~
13. Error Handling
and Logg1ng

t==J
i=::113. Error Handling
and Logg1ng

This module focuses on specific defense tactics to r::::113. Error Handling


~ and Logging

handle error conditions and logging. r::='.'113. Error Handling


~ and Logging

• =:~-=---
=:.-:=:::. 13.1 . lntroduction

~
~Labs

Video: Error Handling


and Logging

elea rnSecu rity © 2013


-
1!3. Error. BanClling anCI l!ogging
- -
§]
REF
,~!, _
. LABS VIDEO
OUTLINE

Search ...

3
Error Handling and
Log ging

"' r=l
c=J 13. Error Handling and
Loggmg

.. 13. Error Handling


and Logg1ng

Sooner or later all web applications face
t==J
i=::113. Error Handling
and Logg1ng

unexpected conditions, typically due to a


r::::113. Error Handling

combination of input that was not anticipated but ~ and Logging

potentially also related to environment factors r::='.'113.


~
Error Handling
and Logging

such as server load. • =:~-=---


=:.-:=:::. .
13.1 lntroduction

~
~Labs

Video: Error Handling


and Logging

elea rnSecu rity © 2013


-
1!3. Error. BanClling anCI l!ogging
- -
§]
REF
,~!, _
. LABS VIDEO
OUTLINE

Search ...

5
Error Handling and
Log ging

"' r=l
c=J 13. Error Handling and
Loggmg

For example, most web attacks involve a r=::1


~
13. Error Handling
and Logg1ng

combination of input that the application did not


t==J
i=::113 Error Handling
and Logg1ng

anticipate, if there are no adequate logs in place


.. 13. Error Handling

(i.e. The POST body is not logged by default on •


and Log91ng

most web servers), it might not be possible to r::='.'113.


~
Error Handling
and Logging

determine the root cause of the problem, whether • =:~-=---


=:.-:=:::. .
13.1 lntroduction

it is a secu rity issue or not.


~
~Labs

Video: Error Handling


and Logging

elea rnSecu rity © 2013


-
1!3. Error. BanClling anCI l!ogging
- -
§]
REF
,~!, _
. LABS VIDEO
OUTLINE

Search ...

6
Error Handling and
Log ging

"' r=l
c=J 13. Error Handling and
Loggmg

r=::1
~
13. Error Handling
and Logg1ng

In addition to this, common misconfiguration t==J


i=::113 Error Handling
and Logg1ng

errors such as displaying verbose error messages r::::113


~
Error Handling
and Logg1ng

on the screen may be of assistance to a


prospective attacker. II 13. Error Handling
and Loggmg

• =:~-=---
=:.-:=:::. .
13.1 lntroduction

~
~Labs

Video: Error Handling


and Logging

elea rnSecu rity © 2013


1!3.l!. lntroCluction §]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

7 Error Handling and Logging


Error Handling and
Logging

r=l
"' c=J 13. Error Handling and
Loggmg

r=::1
~
13. Error Handling
and Logg1ng

All applications, no matter what size they are, will t==J


i=::113 Error Handling
and Logg1ng

eventually crash or hit an error condition, either in r::::113


~
Error Handling
and Logg1ng

production or during User Acceptance Testing r::='.'113. Error Handling


~ and Logg1ng

(UAT) as well as development. ..


-------
----
-~-~-
-·--- 13.1. lnlroducllon

==i 13.1. lrnroduction


~

r=:::'l
• ~j
13.2. What tne
Problem ls

elea rnSecu rity © 2013


i-----1 13.3. How Can 1 See
• I=--::--· 1 lf 1 Am Vulnerable To
Th;,...,
1!3.l!. lntroCluction §]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

s Error Handling and Logging lL____J


g~ 1 .>. t. V hdl11,.1ll g
and Logg1ng

• :___::::-:---:::. 13.1 mtroouction

Error handling defines how these unexpected error


• 13.1. lnlroducllon

conditions will be dealt with by the application and • i==-:J


~ 13.2. Whal lhe
Problem ls

platform in use.
EJ
13.3. HowCan 1 See
• lf 1 Am Vulnerable To
This?

Logging defines how traces of errors or other r::=::1 13.4. How Can 1 Fix
·~ This?

events may be saved into persistent storage ~ 13.5. Further Reading

(i.e. generally files or a database) in order tobe ~

reviewed later. ~-J


~ 13.5. Further Reading

Video: Error Handling


and Logging
elea rnSecu rity © 2013
OUTLINE

Search ...

Error Handling and Logging lg~ 1 .>. t. g


10
L____J
V hdl11,.1ll
and Logg1ng

• :___::::-:---:::. 13.1 mtroouction

Error messages, while helpful for end users, may


I~-: - _
sometimes facilitate other attacks. ""=--113.1 lntrocuction

· 1-·.~..=-:·
For example, when the .NET padding Oracle
.._.:113.2. What tne
Problem ls

vulnerability was published in 2010, exploitation of


.. 132 Whatlhe
Problem ls

the vulnerability relied on error messages, even if ~


~
13.2. Whal lhe
Problemls

they were generic: i=:J


~
13.2. Whal lhe
Problemls

• How to check if your application is vulnerable to the


ASP.NET Padding Oracle Vulnerability
EJ
13.3. How Can 1 See
• lf 1 Am Vulnerable To
http://www.acunetix.com/blog/news/check-application-vulnerable-asp-net-paddin& This?

oracle-vulnerability/
·~
r:::::1 13.4. HowCan 1 Fix
This?

elea rnSecu rity © 2013


1 : __ .-=:: l 13.5. Further Reading
OUTLINE

Search ...

11 Error Handling and Logging lL____J


g~ 1 .>. t. V hdl11,.1ll g
and Logg1ng

• :___::::-:---:::. 13.1 mtroouction

Tools such as sqlmap will sometimes be I~-: - _ "".:. .-] 13.1 lntrocuction

significantly faster to exploit SQL injection · 1-·.~..=-:·


.._.:113.2. What tne
Problem ls

vulnerabilities when error messages are present: ~ 13.2 Whatthe


~ Problemls

132 Whatlhe
Netvolution referer header SQL injection vulnerability E:!!I Problem ls

{11:02:00] {INFO] testing 'AND boolean-based blind - WHEREor HAVING clause' r:::=:l
~
13.2. Whal tne
Problemls
parsed error message(s) showed that the back-end DBMS could be Microsoft SQL Server.
Do you want to skip test pay/oads specific for other DBMSes? [Y/n] Y

EJ
[11:02:16] {INFO] testing 'Microsoft SQL Server/Sybase AND error-bosed 13.3. How Can 1 See
• lf 1 Am Vulnerable To
- WHEREor HAV/NG clause' This?

http://census-labs.com/news/2011/10/03/netvolution-referer-SQLi/
·~
r:::::1 13.4. HowCan 1 Fix
This?

elea rnSecu rity © 2013


1 : __ .-=:: l 13.5. Further Reading
OUTLINE

Search ...

Error Handling and Logging lg~ 1 .>. t. hdl11,.1ll g


12
L____J
V
and Logg1ng

• :___::::-:---:::. 13.1 mtroouction

I~·" _ ""=--113.1 lntrocuction

A good write-up about how error messages can be · 1-·.~_.=-:-, __:113.2.Problem


What tne
ls

helpful to exploit SQL injection faster can be found ~


~
13.2 Whatthe
Problemls

here: ~ 13.2. Whal lhe


~ Problemls

• Speeding up Blind SQL lnjections using Conditional .. 13 2. What lhe


Problem ls
Errors in MySQL •

http://ha.xxor.se/2011/06/speed ing-u p-bli nd-sg 1-i n jections-usi ng. htm 1 ~


~
13.2. Whal tne
Problemls

EJ
13.3. How Can 1 See
• lf 1 Am Vulnerable To
This?

·~
r:::::1 13.4. HowCan 1 Fix
This?

elea rnSecu rity © 2013


1 : __ .-=:: l 13.5. Further Reading
OUTLINE

Search ...

13 Error Handling and Logging · 1-----1


-----
I~·" _-:. :. .-] 13.1 lntrocuction
Other forms of information leakage or
· 1-·. , __:113.2. What tne
vulnerabilities introduced through error messages ::.::::;:..=-:· Problem ls

are the following: ~


~
13.2 Whatthe
Problemls

• CVE-2007-6271: Absolute News Manager.NET 5.1 allows remote ~


~
13.2. What the
Problemls

attackers to obtain sensitive information via a direct request to


i=:J 13.2 Whatlhe
getpath.aspx, which reveals the installation path in an error ~ Problemls

message http://www.cvedetails.com/cve/CVE-2007-6271/ l!!iiil


~ 132 Whatlhe
Problem ls

• Hardened-PHP Project: phpMyAdmin - error.php XSS


EJ
13.3. How Can 1 See
• lf 1 Am Vulnerable To
This?
Vu 1 nera bi lity
lt was discovered that phpMyAdmin comes with a script to display ·~
r::::::1 13.4. HowCan 1 Fix
This?

error messages that supports disp/aying the error in a user supplied


charset. http://www.phpdeveloper.org/news/6632 ~ 13.5. Further Reading
~

~
elea rnSecu rity © 2013 1 ~ -•. ~ 1 13.5. Further Reading
OUTLINE

Search ...

Error Handling and Logging


~ 13.2. What tne
• ~ Problem ls

13.2 What the


- Problem ls

13.2. What the


Problem rs

13. 2 What the


Problem ls

Sometimes incorrect error handling leads to 13.2. What tne


Problem ls

secu rity flaws. .. 133 HowCanlSee


,,. lf 1 Am Vulnerable To
Th1s?

13.3.1. Business
Logic Flaws Due To
lmprope<Error H...

13.3.2. Platform
Error Messages

.~~--
r:.::::J 13.3.3. Applicalion
Error Messages

·EJ 13.3.4. Logging

elea rnSecu rity © 2013


'-___;':__
j
__ , __ J 13 4 How Can 1 Fix
OUTLINE

Search ...

15 Error Handling and Logging > How can 1 see if 1 am vulnerable to this?

· 1-·.~..=-:·
..-.:113.2. What the
Problem ls

For example, if you look at the following code ~ 13.2 Whatthe

snippet you may notice that an unexpected ~ Problemls

exception in a library could leave $allowed set to ~


~
13.2. What the
Problemls

"true": i=:J
~
13.2 Whatthe
Problemls

~ 13.2. What tne


~ Problemls
$allowed = true;//Never do this: Defaulting to "allowed" means higher

EJ .
likelihood of failure 13.3. HowCan 1 See
,.. II 1 Am Vulnerable To
try { This?

II
133.1.Business
library_call(); //The library throws an exception: throw new Logrc Fla~vs Due To
nnproper Error H ...
Exception('Unexpected .. ');

$allowed = false;//Never do this: Only rejecting access after code


• 1=--=
~'!' 113.3.2. Platform
Error Messages

that could fail • I ;:.;.--_ --·113.3.3. Applicalion


} Error Messages

catch (Exception $e) {}


• E:] 13.3.4. Logging

elea rnSecu rity © 2013


, j __ , __ J 134 HowCanlFix
OUTLINE

Search ...

16 Error Handling and Logging > How can 1 see if 1 am vulnerable to this?

· 1-·.::.;:::;=..=-:·
, __:113.2.Problem
What the
ls

Platform error messages are perhaps the easiest to ~


~
13.2 Whatthe
Problemls

find. Typically, these only require reviewing: ~


~
13.2. What the
Problemls

i=:J
~
13.2 Whatthe
Problemls

The platform ~
~
13.2. What tne
Problemls

configuration files
EJ
13.3. HowCan 1 See
,.. II 1 Am Vulnerable To
This?

• For example, php.ini • For example, ini_set


for PHP and for PHP and ,.. ~
-
13 3 2 Plalförm
Error Messages

httpd.conf for .htaccess files in


r.=1
t=:=J 13.3.2. Platform
Apache Apache Error Messages

• I :-:.-----·--113.3.3. Applicalion
Error Messages

elea rnSecu rity © 2013


OUTLINE

Search ...

17 Error Handling and Logging > How can 1 see if 1 am vulnerable to this?

· 1-·.::.;:::;=..=-:·
, __:113.2.Problem
What the
ls

~ 13.2 Whatthe
~ Problemls

~ 13.2. What the


~ Problemls

i=:J
~
13.2 Whatthe
Problemls

lf at any point, platform error messages are ~


~
13.2. What tne
Problemls

configured tobe rendered on the screen, then the


EJ
13.3. HowCan 1 See
,.. II 1 Am Vulnerable To

web application is vulnerable.


This?

. 13 3 2. Platforrn
Error Messages

• I :-:.-----·--113.3.3. Applicalion
Error Messages

elea rnSecu rity © 2013


OUTLINE

Search ...

is Error Handling and Logging > How can 1 see if 1 am vulnerable to this?
13.3.1 Business
Log1c Flaws Due To
lmproper Error H ...

L:"l
t===1 13.3.2. Platform
Error Messages

Application error messages require more testing to • •. 1333 Apphcalion


Error Messages

be identified, global searches on the source code


D
13.3.3.
Application
Error Messages

may help to identify them best but this should be • l:;,:..::..,,."'--'·113.3.4.Logging

combined with dynamic analysis whenever r:::::'"1 13.4. How Can 1 Fix

possible.
·~ This?

~ 13.5. Further Reading

~
~ 13.5. Further Reading

elea rnSecu rity © 2013


OUTLINE

Search ...

19 Error Handling and Logging > How can 1 see if 1 am vulnerable to this?
13.3.1 Business
Log1c Flaws Due To
lmproper Error H ...

The vulnerability in application error messages will


generally be on the message itself. For example: L:"l
t===1 13.3.2. Platform
Error Messages

Error message Security implication · I ;:;.--_ --·113.3. 3. Apphcat1on


Error Messages


"The username you provided does not exist" User enumeration
i==!
--·· 1333
Apphcanor.
User enumeration, information leakage that might Error Messages
"This record can only be viewed by the following
be leveraged to attack such users in order to
users: ..... II

escalate privileges • l:;_:..::..,,.-'--'·113.3.4. Logging


"You have a syntax error in your SQL query near Attacker assistance to exploit SQL injection more
... II
easily r:::::'"1 13.4. How Can 1 Fix
·~ This?
Classic XSS vulnerability when displaying user input
"Invalid <unsanitized input here>11
in an error message without output encoding first
~ 13.5. Further Reading

~
11 Reveals the underlying operating system being a
"Saving file in /home/www/payroll/ ...
Unix derivative and location of files ~
~ 13.5. Further Reading

"The SQL query is: SELECT column1, column2 ... " Full SQL query, tables and columns revealed

elea rnSecu rity © 2013


1!3.3.~. L!ogging
- -- .
§]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

20 Error Handling and Logging > How can 1 see if 1 am vulnerable to this?
13.3.1 Business
Log1c Flaws Due To
lmproper Error H ...

L:"l
t===1 13.3.2. Platform
Error Messages

Logging needs will vary from application to · I ;:;.--_ --·113.3.3. Apphcat1on


Error Messages

application and from organization to organization.


D
13.3.3
Apphcalion
Error Messages

But generally speaking, if logging is insufficient to .,.. • 1334. Loggmg

track a security incident, then there will likely be a r:::::l 13.3.4. Logging

problem. ~

~ 13.3.4. Logging
~

r::=:l 13.3.4. Logging


~

elea rnSecu rity © 2013 L':":':'""1


l~I 13.3.4. Logging
1!3.3.~. L!ogging
- -- .
§]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

21 Error Handling and Logging > How can 1 see if 1 am vulnerable to this?
13.3.1 Business
Log1c Flaws Due To
lmproper Error H ...

L:"l
t===1 13.3.2. Platform
Error Messages

lt is important to note here that a security incident · I ;:;.--_ --·113.3.3. Apphcat1on


Error Messages

may be as simple as a direct object reference:


D
13.3.3
Apphcalion

Having a user change the record ID to a different


Error Messages

-
number, in order to try to view what they should
• l::..::..,,--'--'·113.3.4 Loggmg

not be allowed to view. • 13 3 4. Logg1ng

~ 13.3.4. Logging

r::=:l 13.3.4. Logging


https://www.owasp.ora/index.php/Toe 10 2013-A4-/nsecure Direct Object References ~

elea rnSecu rity © 2013 L':":':'""1


l~I 13.3.4. Logging
1!3.3.~. L!ogging
- -- .
§]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

22 Error Handling and Logging > How can 1 see if 1 am vulnerable to this? ~~I Error Messages

• l;;:_-:;_-'--'·113.3.4 Logging
Testing of logging issues should try to answer
questions such as: IEJ 1334 Loggmg

lii!il 13 3 4. Logg1ng

1~~~;,-"':;--l 13.3.4. Logging

1 ;;:.:_&m_: 113.3.4. Logging

1-::. -· 113.3.4. Logging

·~
r:::::1 13.4. This?
How Can 1 Fix

ana tne attacl<er is· root can tne logs oe· trustea?
~ 13.5. Further Reading
~

Are logs arcfii-vect for long eno~gn? ~


~ 13.5. Further Reading

elea rnSecu rity © 2013


1!3.3.~. L!ogging
- -- .
§]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

24 Error Handling and Logging > How can 1 see if 1 am vulnerable to this? ~~I Error Messages

• l;;:_-:;_-'--'·113.3.4 Logging

IEJ 1334 Loggmg

• Verizon 's tatest annual "Data Breach lnvestigations Report"


1~~~;,-"':;-l 13.3.4.
was not able to find a single company it studied that was able
Logg1ng

to discover a breach within minutes or hours. • 13 3 4. Loggmg


Meanwhile, a stud't_[rom securit't_[irm Trustwave found the
1-:::· -· 113.3.4. Logging
averaqe time between breach and detection was 210 da~.
http://www.scmagazine.com/it-decision-makers-are-more-optimistic-about-
·~
r:::::1 13.4. This?
How Can 1 Fix

breach-detection-than-they-should-be/article/299103/
~ 13.5. Further Reading
~

~
~ 13.5. Further Reading

elea rnSecu rity © 2013


1!3.3.~. L!ogging
- -- .
§]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

zs Error Handling and Logging > How can 1 see if 1 am vulnerable to this? ~-~I Error Messages

• l;;:_-:;_-'--'·113.3.4 Logging

IEJ 1334 Loggmg

OWASP guidelines to test for this issue can be 1~~~;,-"':;-l 13.3.4. Logg1ng
found here:
1 ;;:.:_&m_: 113.3 4 Logg1ng

• Testing for Error Code


httos://www.owasp.org/index.php/Testing for Error Code (OWASP-IG-0061 • 13 3 4. Loggmg

• Testing for Stack Traces


https://www.owasp.org/index.php/Testing for Stack Traces (OWASP-IG-XXX)
~ 13.5. Further Reading
~

~
~ 13.5. Further Reading

elea rnSecu rity © 2013


1!3.4. Bow Can 1 F.ix ffiliis? §]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

26 Error Handling and Logging ~~I Error Messages

• l;;:_-:;_""'-'·113.3.4 Logging

IEJ 1334 Loggmg

Always default to "not allowed" in order to fail


securely when unexpected conditions occur. 1~~~;,-":;.-l 13.3.4. Logg1ng

For example, if you look at the following code 1 ;;:.:_&m_: 113.3 4 Logg1ng

snippet you may notice that an unexpected 1-::. -· 113. 3 4. Logging

exception in a library would still leave $allowed set •


13
This?
4. How Can 1 Fix


to "false": ~
~
13.4.1.Fail
Securely

~ 13.4.2. Platform
~ Error Messages

elea rnSecu rity © 2013


j ==---=-~ j 13 4 2 Platlorm
OUTLINE

Search ...

28 Error Handling and Logging > How can 1 fix this? ~-~I Error Messages

• l;;:_-:;_""'-'·113.3.4 Logging

IEJ 1334 Loggmg

The following guidelines should help implementing


1~~~;,-":;.-l 13.3.4.
platform error messages correctly: Logg1ng

1 ;;:.:_&m_: 113.3 4 Logg1ng

1-::. -· 113. 3 4. Logging

·~
r:::::1 13.4. Th1s?
HowCan 1 Fix

~ 134.1 Fal
~ Securely

l!!!l!i
~
13 4 2. Platförm
Error Messages

~ 13.4.2. Platform
~ Error Messages

elea rnSecu rity © 2013


j ==---=-~ j 13 4 2 Platlorm
OUTLINE

Search ...

29 Error Handling and Logging > How can 1 fix this? 15

1 ;;:.:_&z:_: 113.3 4 Logg1ng

Never display lnstead, log errors and fail 1-::. -· 113.3 4. Loggmg

platform stack traces silently. ·~


r::::::1 13.4. HowCan 1 Fix
Th1s?

or error messages
on the screen For example in php.ini: 134.1 Fal
Securely

=~I 13 4 2. Ptatforrn
Error Messages

I 1

~ 13 4 2. Plalform
~ Error Messages

display_startup_errors - Off
~ 13.4.2. Platform
display_errors =Off ~ Error Messages

html_errors =Off
error_log = /path/to/error_log c=.J
~ 13.4.2. Platform
Error Messages

~ 13.4.2. Platform
~ Error Messages

http://www.php.net/manual/en/errorfunc.configuration.php ~ 13.4.3. Application


[==i Error Messages

elea rnSecu rity © 2013


OUTLINE

Search ...

31 Error Handling and Logging > How can 1 fix this? 15 "1

1 ;;:.:_&z:_: 113.3 4 Logg1ng

Make it easy to swap 1 1-::. -· 113.3 4. Loggmg

environments and r::::::1 13.4. HowCan 1 Fix


lt can save a lot of time to have
use separate files for ·~ Th1s?

development and errors displayed on the screen ~~.--


-
- 134.1 Fal
Securely

production
during development, ensuring
that the mechanism to swap files from ~
~
13.4.2. Prattorm
Error Messages

development to production is easy is a guarantee,


by itself, that procedures will be followed. . 13 4 2 Plalförm
Error Messages

~ 13.4.2. Platform
~ Error Messages

r:--J
[==i
13.4.3. Application
Error Messages

elea rnSecu rity © 2013


j • J 13.4.3. Applicalion
OUTLINE

Search ...

32 Error Handling and Logging > How can 1 fix this? 15 "1

1 ;;:.:_&z:_: 113.3 4 Logg1ng

Make it easy to swap 1 1-::. -· 113.3 4. Loggmg

environments and r::::::1 13.4. HowCan 1 Fix


use separate files for ·~ Th1s?

development and lf developers are forbidden error ~~.-- - 134.1 Fal


- Securely

production messages on the screen they will


find ways around this restriction to meet their
~ 13.4.2. Prattorm

(usually) tight deadlines. Occasional debug ~ Error Messages

messages will make it through to production more


than once if this principle is not followed.
. 1342 Plalforrn
Error Messages

r--"1
~
13.4.3. Applicalion
Error Messages

elea rnSecu rity © 2013


j • J 13.4.3. Applicalion
OUTLINE

Search ...

33 Error Handling and Logging > How can 1 fix this? 1..--z:r=-113.3 4 Logg1ng

EI 13.3 4. Loggmg

·~
r:::::::1 13.4. How Can 1 Fix
Th1s?

134.1 Fal
Securely

13 4 2. Ptatforrn
Error Messages

The following guidelines should help implementing 13.4.2. Prattorm


Error Messages

application error messages correctly: 13.4.2. Ptatform


Error Messages

13.4.2 Ptatforrn
Error Messages

13.4.2 Platform
Error Messages

.. 13 4 3. Appticatron
Error Messages

13.4.3. Application
Error Messages
elea rnSecu rity © 2013
OUTLINE

Search ...

34 Error Handling and Logging > How can 1 fix this?

~ 13.4.2 Platform
Error Messages

a
~

13.4.3 Appl calion


Error Messages

. 13 4.3. Apphcallon
Error Messages

B
r:=1
13.4.3. Application
Error Messages

13.4.3. Application
t==j- Error Messages

When in doubt err on the side a/ ''/ess verbose'' r.:=i 13.4.3. Apphcation

t:::::J Error Messages

~ 13.4.3. Application
Error Messages
~

--- 13.4.3. Application


Error Messages

B 13.4.3. Applicalion
Error Messages

B 13.4.3. Application
Error Messages

elea rnSecu rity © 2013


1~;=-~1 13.4.3. Application
Error MPssaoes
OUTLINE

Search ...

35 Error Handling and Logging > How can 1 fix this?

~ 13.4.2 Platform
Error Messages

a
~

13.4.3 Appl calion


Error Messages

B 13.4.3. Apphcalion
Error Messages

.• 13 4 3. Apphcallon
Error Messages

r:=1
t==j-
13.4.3. Application
Error Messages

Making application errors more help/ul /or you r.:=i 13.4.3. Apphcation

t:::::J Error Messages

and your users ~ 13.4.3. Application


Error Messages
~

--- 13.4.3. Application


Error Messages

B 13.4.3. Applicalion
Error Messages

B 13.4.3. Application
Error Messages

elea rnSecu rity © 2013


1~;=-~1 13.4.3. Application
Error MPssaoes
OUTLINE

Search ...

36 Error Handling and Logging > How can 1 fix this?


r;::::J 13.4.2 Platform
~ Error Messages

~ 13.4.3 Appl calion


[==i Error Messages

t:==J
~ 13.4.3. Apphcalion
Error Messages

Descriptive error messages such as debug errors, t:==J


~ 134.3.Apphcalion
Error Messages

SQL traces, etc. can be extremely helpful to debug . 13 4 3 Apphcallon


Error Messages

certain problems, but they usually do not mean


t:=.J
~ 13.4.3. Apphcation
Error Messages

too much to your end users and additionally will i=:i


t=::'.::.J 13.4.3. Application

definitely facilitate attacking any web application.


Error Messages

l::=J
~ 13.4.3. Application
Error Messages

t:==J
~ 13.4.3. Applicalion
Error Messages

~ 13.4.3. Application
~ Error Messages

elea rnSecu rity © 2013


OUTLINE

Search ...

38 Error Handling and Logging > How can 1 fix this?


r;::::J 13.4.2 Platform
~ Error Messages

~ 13.4.3 Appl calion


[==i Error Messages

For example, turn this message: t:==J


~ 13.4.3. Apphcalion
Error Messages

II
The SQL query failed! - Query: SELECT columnl, t:==J
~ 134.3.Apphcalion
Error Messages

column2 ... " r:=:l


t==J 13 4.3. Apphcalion
Error Messages

lnto this message: t:=.J


~ 13.43.Apphcalion
Error Messages

II
An unexpected error has occurred please . 13 4 3. Apphcation
Error Messages

indicate the following reference for assistance: ~ 13.4.3. Application
t.::=:j Error Messages

12345611
t:==J
~ 13.4.3. Applicalion
Error Messages

~ 13.4.3. Application
~ Error Messages

elea rnSecu rity © 2013


OUTLINE

Search ...

39 Error Handling and Logging > How can 1 fix this?


r;::::J 13.4.2 Platform
~ Error Messages

~ 13.4.3 Appl calion


[==i Error Messages

Where 123456 is the error id in the relevant t:==J


~ 13.4.3. Apphcalion
Error Messages

database table with the full stack trace, SQL t:==J


~ 134.3.Apphcalion
Error Messages

queries, debug messages, etc. Now your users can r:=:l


t==J 13 4.3. Apphcalion
Error Messages

help you, you do not introduce security problems


t:=.J
~ 13.43.Apphcalion
Error Messages

and on top of all that, you have a great tool at your i=:i
t=::'.::.J 13.4.3 Applcalion

fingertips to debug even non-security issues down


Error Messages

.. 13 4 3 Apphcallon

the line. •
Error Messages

t:==J
~ 13.4.3. Applicalion
Error Messages

~ 13.4.3. Application
~ Error Messages

elea rnSecu rity © 2013


OUTLINE

Search ...

40 Error Handling and Logging > How can 1 fix this?


~ 13 4 2. Ptatforrn
Error Messages
~

B
r:-1
13.4 3. Apphcahon
Error Messages

13.4.3 Appl cauon

t:=J Error Messages

B
r:=:1
13.4.3. Apphcation
Error Messages

13.4.3. Apphcat1on
c=J- Error Messages

Whenever possible ovoid including user input in B 13.4.3 Appl cauon


Error Messages

error messages
13.4.3. Apphcahon
~ Error Messages

13 4.3. Apphcahon
-
- Error Messages

.
II
13 4 3 Apphcallon
Error Messages

13.4.3. Apphcation
Error Messages

13.4.3. Application
elea rnSecu rity © 2013 Error Messages
OUTLINE

Search ...

42 Error Handling and Logging > How can 1 fix this?


~ 13.4.3 Appl cauon
~ Error Messages

Many times, information in log messages may be ~


~
13.4.3. Apphcallon
Error Messages

viewed by external applications, perhaps an ~


~
134.3.Apphcallon
Error Messages

administrator screen of some internal application, ~


L:j
134.3.Apphcallon
Error Messages

etc ... lf such applications are vulnerable to XSS, ~


~
13.4 3. Apphcallon
Error Messages

having the raw payload as the user entered it may .. 13 4 3. Apphcation


Error Messages

cause security issues. •

~ 13.4.3. Application
~ Error Messages

Similarly, if the SQL function saving the information


in the database is vulnerable to SQL injection there
EJ 13.4.4. Logging

is another serious problem.


EJ 13.4.4. Logging

I~- -113.4.4. Logging

elea rnSecu rity © 2013 1:- -,-~ 113.4.4. Logging


OUTLINE

Search ...

43 Error Handling and Logging > How can 1 fix this?


~ 13.4.3 Appl cauon
~ Error Messages

~ 13.4.3. Apphcallon
~ Error Messages

~ 134.3.Apphcallon
~ Error Messages

~ 134.3.Apphcallon
L:j Error Messages

~ 13.4 3. Apphcallon
~ Error Messages

Carefully review all existing error messages to


veri/v that they do not introduce security .. 13 4 3 Apphcallon

problems. •
Error Messages

EJ 13.4.4. Logging

EJ 13.4.4. Logging

13.4.4. Logging
~

elea rnSecu rity © 2013 =i


l~__gl 13.4.4. Logging
- --
1!3.4.4. L!ogging
.
§]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

45 Error Handling and Logging > How can 1 fix this?

B 13.4.3 Appl cauon


Error Messages

13.4.3. Apphcallon
~ Error Messages

13 4.3. Apphcallon
-- Error Messages

B
r:-1
13 4.3. Apphcallon
Error Messages

13.4 3. Apphcallon

The following guidelines should help to address ~


Error Messages

this problem: -
13.4.3 Appl cauon
- Error Messages

r:-1 13.4.3. Apphcation


Error Messages
~

EJ 13.4.4 Loggmg

• 13 4 4. Logg1ng

13.4.4. Logging

elea rnSecu rity © 2013 13.4.4. Logging


1!3.4.4. L!ogging
- -- .
§]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

46 Error Handling and Logging > How can 1 fix this?

B 13.4.3 Appl cauon


Error Messages

13.4.3. Apphcallon
~ Error Messages

13 4.3. Apphcallon
-- Error Messages

B
r:-1
13 4.3. Apphcallon
Error Messages

13.4 3. Apphcallon
Error Messages
~

When in doubt: record it and err on the side of "record - -


13.4.3 Appl cauon
Error Messages

more". r:-1 13.4.3. Apphcation


Error Messages
~

EJ 13.4.4 Loggmg

EJ 13.4 4 Logg1ng

ii 13 4 4. Loggmg

elea rnSecu rity © 2013 1:- -,-~ 113.4.4. Logging


1!3.4.4. L!ogging
- -- .
§]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

47 Error Handling and Logging > How can 1 fix this? r. ~ 13 4.3. Apphcahon
~ Error Messages

El 13 4 4. Loggmg

EJ 13.4.4. Logg1ng

1~ _ -113.4.4 Loggmg

The goal here is to ensure that as close to 100% of the lii 13 4 4. Logg1ng

security incidents are correctly logged by the application. 1 :::52::.: -113.4.4. Logging

This will depend on the platform but the business logic I;;,,- -.=:;::_113.4.4. Logging

may also require modifications to ensure even invalid


l::.=.:.,,,-;;,:~113.4.4. Logging

direct object references are recorded.


I""· .. ~"'" 113.4.4. Logging

~ 13.4.4. Logging

~ 13.5. Further Reading


elea rnSecu rity © 2013
1!3.4.4. L!ogging
- -- .
§]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

48 Error Handling and Logging > How can 1 fix this? r. ~ 13 4.3. Apphcahon
~ Error Messages

El 13 4 4. Loggmg

EJ 13.4.4. Logg1ng

1~ _ -113.4.4 Loggmg

Whenever possible, try to centralize the code that handles


logging at the application layer, consider the following
I;::~·:-· -113.4 4 Logg1ng

ideas: Would changing the code to throw "security - 1344.Loggmg

exceptions" simplify logging? Can (all or part of) access I;;,,- -.=:;::_113.4.4. Logging

control be incorporated in a central component such as


l::_=.:.,,,-;;,:~113.4.4. Logging
base class that is inherited, known foreign keys or
database permissions? I""· .. ~"'" 113.4.4. Logging

~ 13.4.4. Logging

~ 13.5. Further Reading


elea rnSecu rity © 2013
1!3.4.4. L!ogging
- -- .
§]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

so Error Handling and Logging > How can 1 fix this? r. ~ 13 4.3. Apphcahon
~ Error Messages

El 13 4 4. Loggmg

EJ 13.4.4. Logg1ng

1~ _ -113.4.4 Loggmg

Log integrity is very important. Whenever budget allows it,


it is a very good idea to write the logs to write-once media I;::~·:-· -113.4 4 Logg1ng

and/oranotherserve~ 1:::52::.: .113.4.4 Loggmg

The reason for this is that, if the web server is I;;,,- -.=:;::_113.4 4 Logg1ng

compromisedand the adversary escalates to get root


- 13 4 4. Loggmg

privileges, then the logs simply cannot be trusted if they


I""· .. ~"'" i
are on the same server. 13.4.4. Logging

~ 13.4.4. Logging

~ 13.5. Further Reading


elea rnSecu rity © 2013
1!3.4.4. L!ogging
- -- .
§]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

sa Error Handling and Logging > How can 1 fix this? r. ~ 13 4.3. Apphcahon
~ Error Messages

El 13 4 4. Loggmg

EJ 13.4.4. Logg1ng

1~ _ -113.4.4 Loggmg

I;::~·:-· -113.4 4 Logg1ng

This may be crucial in a case where prosecution is being


1:::52::.: .113.4.4 Loggmg

sought: lf all the proof is in the logs and log integrity


I;;,,- -.=:;::_113.4
cannot be guaranteed, then the proof will likely be 4 Logg1ng

invalidated by most courts. l::.=.:.,,,-;;,:~113.4.4 Loggmg

liii 13 4 4. Loggmg

~ 13.4.4. Logging
~

~ 13.5. Further Reading


elea rnSecu rity © 2013 ~
1!3.4.4. L!ogging
- -- .
§]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

sa Error Handling and Logging > How can 1 fix this? r. ~ 13 4.3. Apphcahon
~ Error Messages

El 13 4 4. Loggmg

EJ 13.4.4. Logg1ng

1~ _ -113.4.4 Loggmg

I;::~·:-· -113.4 4 Logg1ng

This may be crucial in a case where prosecution is being


1:::52::.: .113.4.4 Loggmg

sought: lf all the proof is in the logs and log integrity


I;;,,- -.=:;::_113.4
cannot be guaranteed, then the proof will likely be 4 Logg1ng

invalidated by most courts. l::.=.:.,,,-;;,:~113.4.4 Loggmg

liii 13 4 4. Loggmg

~ 13.4.4. Logging
~

~ 13.5. Further Reading


elea rnSecu rity © 2013 ~
1!3.4.4. L!ogging
- -- .
§]
REF
,~!, _
LABS VIDEO
OUTLINE

Search ...

sz Error Handling and Logging > How can 1 fix this? r. ~ 13 4.3.Apphcahon
~ Error Messages

El 13 4 4. Loggmg

EJ 13.4.4. Logg1ng

1~ _ -113.4.4 Loggmg

Log retention policies of at least 1 year are highly


I;::~·:-· -113.4 4 Logg1ng

recommended based on measured breach to breach 1:::52::.: .113.4.4 Loggmg

detection duration (i.e. 210 days on average). Compliance I;;,,- -.=:;::_113.4 4 Logg1ng

and industry regulations are another factor to consider


l::.=.:.,,,-;;,:~113.4.4 Loggmg

appropriate log retention policies.


I""· .. ~"'" 113 4.4 Logg1ng

http://www2.trustwave.com/rs/trustwave/images/Trustwave GSR ExecutiveSummarl'. ~ Final ~


lii 13 4 4. Logg1ng

~ 13.5. Further Reading


elea rnSecu rity © 2013 ~
OUTLINE

Search ...

54 Error Handling and Logging > Error Handling and Logging

1 ;::~·:-· .113.4 4 Logg1ng


Logging policy: data
Log file retention policy !:::.:::::::..: -113.4.4 Loggmg
protection, interception and
example
Freedom of Information
1;;,,. ·.=:;::_113.4 4 Logg1ng

~
eu l::.=.:.,,,-;;,:~113.4.4 Loggmg
Apache Log filesWindows log
~ 115 Logging

,~
retention policy
•• I"'· .. ~"" 113 4.4 Logg1ng

------------, ~ 13 4 4. Loggmg

!
~t

Windows log retention policy Windows Logging
~ 13.5. Further Readmq

• 13 5. Further Read1ng

Logging on Linux: What to


Look Out For With Lots of Labs
Linux Boxes

Video: Error Handling


and Logging
elea rnSecu rity © 2013
OUTLINE

Search ...

ss Error Handling and Logging

1 ;::~·:-· .113.4 4 Logg1ng

Error Handling and Logging: !:::.:::::::..: .113.4.4 Loggmg

1;;,,. ·.=:;::_113.4 4 Logg1ng

Platform error messages


l::.=.:.,,,-;;,:~113.4.4 Loggmg

Applicationerror messages I"'· .. ~"" 113 4.4 Logg1ng

and logging ~ 13 4 4. Loggmg

~ 13.5. Further Readmq

Hera PWD >Scenario > Error Handling and Logging


0 13 5. Further Readmg

.Labs

Video: Error Handling


and Logging
elearnSecurity © 2013
OUTLINE

Search ...

56 Error Handling and Logging

~ 13.44 Logg1ng

~ 13.4.4 Loggmg

Error Handling
and I;;,,- -.=:;::_113.4 4 Logg1ng

Logging ~ 13.4.4 Logg1ng

elear>Seconty All n1hts resmed


I"'· __ ~"" 113 4.4 Logg1ng

1=---?':::.1134 4. Loggmg

~ 13.5. Further Readmq

~~ ·,
~. 13 5. Further Readinq

~Labs

..• Video· Error Handhrtg


and Logg1ng
elea rnSecu rity © 2013 •

You might also like