Those errors can provide sensible information such as Database server IPs, tables, columns and login details. Each Database system, such as MySQL, Oracle or MSSQL, has their own set of errors. Database Errorsĭatabase errors are those returned by the Database System when there is a problem with the query or the connection. Detailed application errors typically provide information of server paths, installed libraries and application versions.
#Xsection 7.7 traces of the section plane code#
These could be error messages from framework code (ASP, JSP etc.) or they could be specific errors returned by the application code. Application Server ErrorsĪpplication errors are returned by the application itself, rather than the web server. Testing for disclosed information in the Web Server error codes is related testing for information disclosed in the HTTP headers as described in the section Fingerprint Web Server. When receiving specially crafted requests, web servers may provide one of these error codes depending on their HTTP implementation. Other HTTP response codes such as 400 Bad Request, 405 Method Not Allowed, 501 Method Not Implemented, 408 Request Time-out and 505 HTTP Version Not Supported can be forced by an attacker. This information can be very important from an OS and application type and version identification point of view. After the common message that shows a page not found, there is information about web server version, OS, modules and other products used. This error message can be generated by requesting a non-existent URL. The requested URL /page.html was not found on this server.Īpache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g DAV/2 PHP/5.1.2 Server at localhost Port 80
Often this error code provides useful details about the underlying web server and associated components. Searches can be performed to find any erroneous sites as random victims, or it is possible to search for errors in a specific site using the search engine filtering tools as described in 4.2.1 Conduct Search Engine Discovery and Reconnaissance for Information Leakage Web Server ErrorsĪ common error that we can see during testing is the HTTP 404 Not Found. A good collection can facilitate assessment efficiency by decreasing the overall time taken to perform the penetration test.Īttackers sometimes use search engines to locate errors that disclose information. The most important aspect for this activity is to focus one’s attention on these errors, seeing them as a collection of information that will aid in the next steps of our analysis. This section analyses the more common codes (error messages) and bring into focus their relevance during a vulnerability assessment. These codes are very useful to penetration testers during their activities, because they reveal a lot of information about databases, bugs, and other technological components directly linked with web applications.
It’s possible to cause these errors to be displayed by using a particular requests, either specially crafted with tools or created manually. Often, during a penetration test on web applications, we come up against many error codes generated from applications or web servers.
0 kommentar(er)
