Error messages containing sensitive information
Protect your applications against risky error messages
When an application encounters an error, it often generates an error message to provide feedback to users or developers. If these error messages contain sensitive information such as database connection strings, usernames, passwords, or session tokens it could lead to serious security vulnerabilities. Attackers may be able to use this information to gain unauthorized access to the system and steal sensitive data.
About this lesson
In this lesson, you will learn how generating error messages containing sensitive information works and how to protect your applications against it. We will begin by exploiting a vulnerability in a simple application. Then we will analyze the vulnerable code and explore some options for remediation and prevention.
More than usernames
Error messages can contain more information than just confirming whether a username exists. They can potentially provide information on how a system is configured which can result in hackers identifying potential exploits!
Jerry the developer stayed up very late and had just completed an application for a client that was ready for production. The application had a feature that allowed users to search for products in an inventory. However, there was a flaw in the error-handling mechanism. When a user entered a search query that contained a double quote (
"), the application displayed a detailed error message that contained the database connection string, which contained sensitive information such as the username and password. Unfortunately, a hacker took advantage of this vulnerability and gained unauthorized access to the database, exposing sensitive data.
Attacking an application through error messages
- STEP 1
- STEP 2
- STEP 3
- STEP 4
- STEP 5
Setting the stage
Let's revisit BigHatCorp. We want to try and break their system and receive an error message for an action that the developers weren't expecting.
The vulnerability occurs when an application generates an error message that contains sensitive information such as usernames, passwords, or database connection strings. Attackers can exploit this vulnerability by intercepting the error message or intentionally causing an error to occur.
In the above code, the error message generated by the exception is returned to the user or developer, and it may contain sensitive information such as the database connection string.
The most common cause of overly verbose error messages is simply that a production instance of a framework is still producing error messages as if it were in a development environment.
Impacts of Generation of error message containing sensitive information
The impact of this vulnerability is significant because it can lead to unauthorized access to the system, resulting in the exposure of sensitive data. Attackers can use the information obtained from error messages to carry out further attacks, such as injection attacks or privilege escalation.
What sort of sensitive information do hackers look for?
In the example above, the error message gave away some extremely sensitive information with a database name, username, and password. But error messages can sometimes give other information such as email addresses or system configuration details. Maybe the system will expose not just that it runs PHP on the backend, but it specifically runs a version that is not supported anymore.
Even the simple error message of
This username cannot be found, please try again. gives the attacker some information about what usernames can be found.
Below are a few tips to help prevent the generation of error messages containing sensitive information in your applications:
- Ensure that production applications are not revealing development errors. Typically, these settings are in the configuration file of whatever framework you use
- Avoid displaying detailed error messages to users or developers
- Implement proper error-handling mechanisms that do not reveal sensitive information
To resolve the vulnerable code snippet above, you could write the detailed logs to a log file, but keep the error that is displayed to the user generic, like this:
Test your knowledge!
Which of the following is the best way to display an error message for a failed login?
You have taken your first step into learning what the generation of error messages containing sensitive information is, how it works, what the impacts are, and how to protect your own applications. We hope that you will apply this knowledge to make your applications safer.
We'd really appreciate it if you could take a minute to rate how valuable this lesson was for you and provide feedback to help us improve! Also, make sure to check out our lessons on other common vulnerabilities.