PCI DSS 6.5.6

Information Leakage and Improper Error Handling

Information leakage and improper error handling happen when web applications do not limit the amount of information they return to their users. Web applications have the potential of leaking information about the version of web server (IIS, Apache, etc..) you are running, operating system, patch levels, and name and versions of web applications (PHP, SSL, SQL) your site may be utilizing. This in itself is an important lack of security, but showing detailed error bugs or debug code is as well.

“Web applications will often leak information about their internal state through detailed or debug error messages. Often, this information can be leveraged to launch or even automate more powerful attacks,” OWASP says.

An attackers’ main purpose is getting error messages from the web application because the more information these messages have, the greater the chance the attacker will have of hacking the website. To get error messages, the user will force susceptible situations where errors may occur. A classic example of improper error handling is when an application doesn’t sanitize SQL error messages that are returned to the user. Upon receiving a SQL error message an attacker will immediately identify injection flaws.
An Example of Improper Error Handling

Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near ‘\’., SQL state 37000 in SQLExecDirect in C:\xampp\htdocs\changepw.php on line 134

Warning: odbc_do() [function.odbc-do]: SQL error: [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near ‘\’., SQL state 37000 in SQLExecDirect in C:\xampp\htdocs\changepw.php on line 136

Warning: odbc_fetch_row(): supplied argument is not a valid ODBC result resource in C:\xampp\htdocs\changepw.php on line 138

Converting 5xx to 404s

By obscuring a 5xx response to display as a common 404 error, which you can in turn display as a custom 404 you are effectively blocking your attacker from finding out important information about your server.

“The 404 status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable”

Port80’s ServerMask was designed to mask the information generated via error messages, encouraging misguided exploits and snaring attackers with your firewalls. ServerMask augments your defenses to build more secure networks and return better results on security audits. A unique feature built into ServerMask is the ability to replace user generated 5xx errors with 404 errors instead preventing a would-be attacker from pre-attack reconnaissance. ServerMask not only obfuscates the server banner string, but also re-arranges the HTTP response header field order, to mimic servers like Apache, obscures internal server generated cookies, and even has the ability to pose as a random HTTP server for every HTTP request.

/ Port80