June 1, 2011, 2:58 p.m.
posted by creed
This section correlates to 5.2 of the WASC Threat Classifications.
Error conditions that occur during application and site usage and that are not handled properly give away many clues for an attacker to utilize when designing an attack. Attackers can gain intimate details about their targets by simply generating errors. You have seen enough of this by this point that this should not be a novel concept. During Discovery you saw error generation in order to gain target details and during the SQL Injection you saw DB errors provide details that should never be exposed.
Simple functional testing can determine how your target responds to various kinds of input and actions, and in turn the errors that get generated. Deeper testing such as parameter injection and SQL Injection can provide further details via unhandled errors.
Code audits are excellent in this respect because the logic for handling errors and exceptions should be clear. If you have the luxury of doing a code audit as part of a pen test, ensure not only that error handling is present but also that it is consistently used across the entire app. The following are some of the things to bear in mind when testing error handling mechanisms:
Browsers are not all equal, so use multiple browsers
Use the multiple browsers on different OSes because they are definitely not created equal
Test error-handling on both the client and the server side