Presentation is loading. Please wait.

Presentation is loading. Please wait.

Error Message Handling

Published byPoppy Palmer Modified over 6 years ago

Similar presentations

Presentation on theme: "Error Message Handling"— Presentation transcript:

1 Error Message Handling

2 Improper handling of errors can introduce a variety of security problems for a web site.
The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to the user (hacker). These messages reveal implementation details that should never be revealed. These errors must be handled according to a well thought out scheme that will: provide a meaningful error message to the user diagnostic information to the site maintainers no useful information to an attacker Such details can provide hackers important clues on potential flaws in the site and such messages are also disturbing to normal users.

3 Example Even when error messages don’t provide a lot of detail, inconsistencies in such messages can still reveal important clues on how a site works, and what information is present under the covers. For example, when a user tries to access a file that does not exist, the error message typically indicates, “file not found”. When accessing a file that the user is not authorized for, it indicates, “access denied”. The user is not supposed to know the file even exists, but such inconsistencies will readily reveal the presence or absence of inaccessible files or the site’s directory structure.

4 Good error handling practices
Good error handling mechanisms should be able to handle: any feasible set of inputs while enforcing proper security Simple error messages should be: produced and logged so that their cause, whether an error in the site or a hacking attempt, can be reviewed.

5 How to determine vulnerability
Thorough testing Code review

6 How to protect? Errors should be documented including:
the types of errors to be handled and for each, what information is going to be reported back to the user  what information is going to be logged  When errors occur, the site should respond with a specifically designed result that is helpful to the user without revealing unnecessary internal details The ability to detect/track failures

7

8 Server log Viewing Guidelines
A good approach to keep up to dated with the server error logs is to keep periodically checking on the Log Viewer for server errors. As QA, we should check the log viewer at the end of every sprint, and share the number and type of errors logged via a generic ticket with the development team.  Another good exercise would be to lookup the error logs before starting to test a new feature/task. When you are done with testing the feature/task, check the error logs again, if there are any error logs that appeared during the testing of that feature, share the findings with development team within that particular task's comments section. This can help us pinpoint the change that set off the error logs.

9 Another good practice would be 'Set an Alarm' on daily basis, so that the error log reports can be sent to our on hourly/daily/weekly basis. Ideally, the number of error logs should reduce with every sprint. If not, then we can bring this point into notice to our team and TAG. The URL is as follows:

10 Screens of death A Yellow Screen of Death (also called YSoD) occurs when an ASP.NET web application encounters a problem and crashes.[4] It also appears on the browser Mozilla Firefox when there are errors in reading the .xml web format.  It can be caused by unhandled exceptions in your code, by making requests to resources that do not exist, etc. 

11

12

13 References minimizing-yellow-screen-of-death-in-asp-net-mvc/ ERR-001%29

Download ppt "Error Message Handling"

Similar presentations

Chapter 6 Server-side Programming: Java Servlets

Chapter 6 Server-side Programming: Java Servlets
P5, M1, D1.

P5, M1, D1.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Exploiting Information Disclosure Vincent CH14. Introduction In this chapter, we will try to extract further information from an application during an.

Exploiting Information Disclosure Vincent CH14. Introduction In this chapter, we will try to extract further information from an application during an.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.

Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.

CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
.NET Health Monitoring Jonathan Franco ITD Application Services.

.NET Health Monitoring Jonathan Franco ITD Application Services.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Similar presentations

Ads by Google