In this article, I will discuss what error handling is, examples of error handling, and testing error handling in the OWASP Web Security Testing Guide.
What Is Error Handling?
Error handling is a process in software development where programs are written to handle errors or unexpected conditions that may occur while the program is running.
When a program runs, sometimes errors or unexpected conditions may occur, such as syntax errors, input or output errors, or even logic errors. If the program is not written to handle these errors, the program may stop or crash, causing the user to lose data or have a bad experience using the program.
To prevent this from happening, programs should be written with appropriate error handling settings. This can be done by adding code in the program that identifies the error, provides a clear error message, and executes the appropriate action to resolve the issue. So that the program can continue to perform its functions without being interrupted by errors or unexpected conditions that may occur.
Example of Error Handling
An example of intentional error handling in cases such as entering letters in the phone number field is to use data validation. Data validation is the process of verifying whether the data entered by the user is in accordance with the expected format. If the data does not match the expected format, then the program will display an appropriate error message.
The following is an example of data validation in Python to ensure that the phone number entered by the user consists only of numbers:
phone_number = input("Enter the phone number: ")
if not phone_number.isnumeric():
print("Phone numbers can only consist of numbers")In the above example, the isnumeric() function is used to check whether the value entered by the user consists of only numbers or not. If not, the program will display an appropriate error message.
This way, the user can be given a clear message and can correct their input so that the program does not fail when executed. Data validation can also be used to ensure other inputs such as email addresses, date formats, or other types of data are expected in the program.
Testing for Error Handling
The error handling test below is a test based on the OWASP Web Security testing Guide.
1. Testing for Improper Error Handling
What is Improper Error Handling?
This weakness occurs when applications (web apps, web servers, databases, etc.) cannot handle errors properly or do not provide clear error messages to users. This can provide an opportunity for an attacker to obtain sensitive information or perform other attacks on the web application.
Improper error handling can allow attackers to:
- Understand the APIs being used internally.
- Map the various services integrating with each other by gaining insight on internal systems and frameworks used, which opens up doors to attack chaining.
- Gather the versions and types of applications being used.
- DoS the system by forcing the system into a deadlock or an unhandled exception that sends a panic signal to the engine running it.
- Controls bypass where a certain exception is not restricted by the logic set around the happy path.
Test Objectives:
- Identify existing error output.
- Analyze the different output returned.
In the example below, the test was performed by changing the value of the productId parameter from an integer 2 to the string “test”, from the error handling message, it can be seen that there was an error in converting the string “test” to an integer in an unknown line of code. This resulted in the NumberFormatException error mentioned in the error message.
A vulnerability that could be exploited by an attacker is an unvalidated input vulnerability in applications that use Apache Struts 2 2.3.31. An attacker could exploit this vulnerability to enter invalid input or otherwise compromise application security, such as entering unexpected characters or values in form input or URL parameters.
In this case, an attacker could enter the value “test” in a parameter that should contain an integer, causing a conversion error and leading to an Internal Server Error. Attackers can use this error to perform various types of attacks, such as SQL Injection, Cross-site Scripting (XSS), or other attacks depending on the application weakness being exploited.
2. Testing for Stack Traces
Testing for Stack Traces has been merged into Testing for Improper Error Handling.
Conclusion
The point of error handling is not to reveal too much information about the application and can also be used to identify injection points in target features.
