Error Messages

Error Messages Overview

Think about these questions.

  • Why are Error Conditions and Error Messages a security problem?
  • What's wrong with error conditions?
  • Wouldn't an administrator want the most amount of information provided to use that error message to determine the problem?

Typically during the Testing process error messages are encouraged. Error Messages help in narrowing down the problems and isolated the issues. A malicious user will also use these error messages and conditions. Error messages provide additional information to the malicious user in determining the architecture of the product. An error message can give out too much information.

What should error messages NOT display

An error message should NOT display an entire exception describing what the entire process of code function calls occurred to generate the error exception. Java based programs, and web applications typically do this by default. If an error is hit, an exception is thrown, and it might be echo'd out to the browser or console.

Error messages should not display a specific error describing what error has occurred. For example picture a login box asking the user to enter a user name and password. If an incorrect password is entered, and an error message states, sorry wrong password please try again. What has the malicious user just learned? The password was incorrect right. Think what else that malicious user has learned. He/she has learned that the user name was correct. The malicious user has just discovered that although the password was incorrect, the user name was correct. Instead of the specific message stating where the problem was, the error message should state the user name and/or password you entered is invalid, please try again. This simple change will not allow a malicious user to discover information about your user store on the back end.

Error messages also include the http error status code. Sometimes a http error status code can give additional information that could be used in isolated and determining the architecture of a given software application.

Error messages should never display information about the underlying database. A black hat hacker could use this information to determine what the underlying database structure looks like and possibly use this in some SQL injection attack. Additionally it could provide information regarding what type of database you are running, versions, and all sorts of other sensitive information.