When an application encounters an error, it often generates an error message to provide feedback to users or developers. If these error messages contain sensitive information such as database connection strings, usernames, passwords, or session tokens it could lead to serious security vulnerabilities. Attackers may be able to use this information to gain unauthorized access to the system and steal sensitive data.

In this lesson, you will learn how generating error messages containing sensitive information works and how to protect your applications against it. We will begin by exploiting a vulnerability in a simple application. Then we will analyze the vulnerable code and explore some options for remediation and prevention.

Jerry the developer stayed up very late and had just completed an application for a client that was ready for production. The application had a feature that allowed users to search for products in an inventory. However, there was a flaw in the error-handling mechanism. When a user entered a search query that contained a double quote ("), the application displayed a detailed error message that contained the database connection string, which contained sensitive information such as the username and password. Unfortunately, a hacker took advantage of this vulnerability and gained unauthorized access to the database, exposing sensitive data.

The vulnerability occurs when an application generates an error message that contains sensitive information such as usernames, passwords, or database connection strings. Attackers can exploit this vulnerability by intercepting the error message or intentionally causing an error to occur.

Here is an example of vulnerable code in JavaScript:

In the above code, the error message generated by the exception is returned to the user or developer, and it may contain sensitive information such as the database connection string.

The most common cause of overly verbose error messages is simply that a production instance of a framework is still producing error messages as if it were in a development environment.

The impact of this vulnerability is significant because it can lead to unauthorized access to the system, resulting in the exposure of sensitive data. Attackers can use the information obtained from error messages to carry out further attacks, such as injection attacks or privilege escalation.

What sort of sensitive information do hackers look for?

In the example above, the error message gave away some extremely sensitive information with a database name, username, and password. But error messages can sometimes give other information such as email addresses or system configuration details. Maybe the system will expose not just that it runs PHP on the backend, but it specifically runs a version that is not supported anymore.

Even the simple error message of This username cannot be found, please try again. gives the attacker some information about what usernames can be found.

Below are a few tips to help prevent the generation of error messages containing sensitive information in your applications:

• Ensure that production applications are not revealing development errors. Typically, these settings are in the configuration file of whatever framework you use
• Avoid displaying detailed error messages to users or developers
• Implement proper error-handling mechanisms that do not reveal sensitive information

To resolve the vulnerable code snippet above, you could write the detailed logs to a log file, but keep the error that is displayed to the user generic, like this:

To learn more about the generation of error messages containing sensitive information, check out the following links:

• Check out the OWASP site for Improper Error Handling
• Learn more about CWE-209 here: https://cwe.mitre.org/data/definitions/209.html