When a website is being attacked by a hacker, one attack approach is
to cause the website to fail in some manner. The thinking behind this
approach is to use the error message to gain ‘inside’ information about
the website. With this information, the attacker is planning to better
organise their attacks on the website.
Using this sample database error message from a blog by Securiteam on sql injection as an example; by causing the error, a hacker can see that the first table name in the database is called ‘admin_login’.
For example, I discussed the importance of data validation to ensure that no inappropriate data inputs could be used to attack a website. In such a scenario, rather than having the website failing and producing an internal error message such as in the above example, a user friendly message should be displayed, indicating the expected format and length of input.
Error messages can provide detailed information and in the wrong hands…
Error messages, by default, are designed to provide all the necessary information to help resolve the error. However, in the wrong hands, this type of content can provide ‘valuable’ information on how the website operates in addition to access to privacy related information on customers and transactions.Using this sample database error message from a blog by Securiteam on sql injection as an example; by causing the error, a hacker can see that the first table name in the database is called ‘admin_login’.
Microsoft OLE DB Provider for ODBC Drivers error ’80040e07′With a subsequent query, it can be possible to start to extract the column names of this table, as the example shows the column name ‘login_id’.
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value ‘admin_login’ to a column of data type int.
/index.asp, line 5
Microsoft OLE DB Provider for ODBC Drivers error ’80040e07′In this example, with the names of the table and columns, it would be possible for a hacker to easily get access to login ids and passwords for the website.
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value ‘login_id’ to a column of data type int.
/index.asp, line 5
The best defence is…
The best place to start to ensure that any error messages are handled securely is when the website is being designed and developed. As the website requirements are being discussed, any related exceptions that may cause an error should also be documented.For example, I discussed the importance of data validation to ensure that no inappropriate data inputs could be used to attack a website. In such a scenario, rather than having the website failing and producing an internal error message such as in the above example, a user friendly message should be displayed, indicating the expected format and length of input.
Test and test again…
During the testing of the website, security testing using different attack scenarios should be completed to test the strength of your website by simulating a series of different attack methods and reviewing the results to detect and correct any weaknesses. These penetration testing scenarios should cover both typical attack methods, along with any unexpected attacks or errors. To ensure that the ‘unexpected’ errors are tested, brainstorming sessions involving developers and business owners who know their user community will be necessary, where the focus is on uncovering any unusual and unexpected user actions.Fail safe is key
When designing the website, an important principle to include is to ensure that if an error occurs, sufficient information is provided to guide the user with no information on any server or software related topics (i.e. the website has ‘failed’ into a safe mode). In addition, all errors should be handled in a structured manner, so that irrespective where an error occurs on a website, the response is the same and managed in a consistent manner.Business logic not the code can be the problem
When reviewing your website for potential weaknesses, it’s more important to assess the logic of your workflows, as the logic is the foundation for your code. The logic is driven by the business rules of the functions being provided by the website. Two examples of possible mis-use of logic include;- The provision of a password reminder function to assist legitimate users who may have forgotten their passwords. To ensure that such a function is not abused by a hacker, a captcha function can be included to prevent any brute force attacks.
- The assumption that a withdrawal amount entered into an online banking service will be positive, thus leaving the possibility that a negative amount will trigger a credit to a person’s account. A data validation check on the entered value should resolve this potential weakness
No comments:
Post a Comment