[ Pobierz całość w formacie PDF ]
.HTTP error codes don t help legitimate users, butthey do make it easier for attackers to write simple tools to probe yourapplication.Using a single default error response will prevent attackers frommining information such as stack traces or other system data from the appli-cation container s built-in error response.This is a specific manifestation ofa general security principle: fail securely [Viega and McGraw, 2002].9.2 HTTP Considerations 323Web Browser Application ServerSubmit form 1Validate form 1parametersShow form 2Submit form 2Validate form 2parametersShow resultsFigure 9.6 An expected request sequence.The user submits a first form, and theapplication validates the form data and responds with a second form.The user submitsthe second form, and the application responds with the results of the transaction.Attack Client Application ServerSubmit form 2, butinclude parameters forform 1Show resultsAccept all parameters,validate form 2parameters but notform 1 parametersFigure 9.7 An attack.The attacker submits the second form but includes the parametersfor the first form in order to bypass the validation for the first form.When an attacker explores a Web site looking for vulnerabilities,the amount of information that the site provides is crucial to the eventualsuccess or failure of any attempted attacks.If the application shows theattacker a stack trace, it relinquishes information that makes the attacker sjob significantly easier.For example, a stack trace might show the attacker amalformed SQL query string, the type of database being used, and the ver-sion of the application container.This information enables the attacker totarget known vulnerabilities in these components.324 Chapter 9 Web ApplicationsHere are some bad error messages:Exception raised: java.sql.SQLException: ORA-06502: PL/SQL: numeric orvalue error: character string buffer too small ORA-06512: at PRJVRB.VRB_K_STAT , line 145 ORA-06512: at  PRJVRB.VRB_K_STAT , line27 ORA-06512: at  PRJVRB.VRB_K_STAT , line 6 ORA-06512: at line 1An Exception Has Occurredjava.io.FileNotFoundException:/intuitACDC/Intuit_AC_NP_Quickbooks2009.P0_Q00_Source_Code.page1.scat jrun.servlet.file.FileServlet.service(FileServlet.java:333)at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91)at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42).HTTP Status : 500 Internal Server Errorcause: [JSPE-2608] [E] fail to compile : source =D:\Jeus\Webhome\servlet_home\jspwork\china\jeus_jspwork\_template\_typehh\_403_ccm4701ls.javaerror msg = Note: sun.tools.javac.Main has been deprecated.D:\Jeus\Webhome\servlet_home\jspwork\china\jeus_jspwork\_template\_typehh\_403_ccm4701ls.java:2175: Variable »e' is already defined in thismethod.} catch (Exception e) {}^Note:D:\Jeus\Webhome\servlet_home\jspwork\BuykoreaApp2_servlet_engine2\MyGroup2\__DEFAULT_HOST__\china\jeus_jspwork\_template\_typehh\_403_ccm4701ls.java uses or overrides a deprecated API.Recompile with  -deprecation for details.1 error, 2 warningsAnd one good error message:A Server Error Has OccurredWe are sorry, but an error has occurred on the Web site.This error has been logged and will be reviewed by our technical supportstaff.If you have further information that you feel would help us in theresolution of this error please contact our support department using theform below.9.2 HTTP Considerations 325The application configuration should specify a default error page toguarantee that the application will never leak error messages to an attacker.Handling standard HTTP error codes is useful and user-friendly in additionto being a good security practice.A good configuration will also define alast-chance error handler that catches any exception that the applicationcould possibly throw.Set up the application logic to avoid sending exceptions to the con-tainer s default error handling mechanism.Use a very broad top-level catchblock this is one of the few places that catching java.lang.Throwable isthe right thing to do.Exceptions can occur in the application server, too, sobe sure to configure the application server with a default error page.At aminimum, your web.xml should include entries similar to the following:java.lang.Throwable/error.jsp404/error.jsp500/error.jspBe certain that the error messages your application generates do notgive an attacker clues about how the system works or where it might bevulnerable.Use carefully crafted error messages to avoid leaking importantinformation such as the identity of users, network details, or specifics aboutthe application or server environment.For example, do not differentiatebetween a bad user ID and a bad password; doing so allows an attacker tolearn the names of legitimate users.Do not report back information aboutthe host, the network, DNS information, the version of the software, inter-nal error codes, or any specific information about errors that occur.Do notput error details in an HTML comment on the error page.Error messagesare not for debugging.326 Chapter 9 Web ApplicationsStatic Analysis: Audit Error MessagesVerify that your program uses error messages that deprive adversaries of any informa-tion that might be useful to them, while at the same time serving the needs of legiti-mate users.Look for any place the application might give away details about itsimplementation.Analyze web.xmlto make sure that all exceptions are caught androuted to a default error page.We recommend a single generic page for handlinguncaught exceptions, HTTP 404 (not found) or HTTP 500 (internal error).The following rules produce warnings if any of these three error page definitions ismissing in web.xml:Configuration rule:File Pattern: web.xmlXPath Expression: count(/web-app/error-page[normalize-space(string(exception-type))='java.lang.Throwable']) = 0Configuration rule:File Pattern: web.xmlXPath Expression: count(/web-app/error-page[normalize-space(string(error-code)) = '404']) = 0Configuration rule:File Pattern: web.xmlXPath Expression: count(/web-app/error-page[normalize-space(string(error-code)) = '500']) = 0Even if your application defines the right custom error pages, those pages mightleak sensitive information.Manually review the error messages the application can pro-duce.Obvious problems involve the inclusion of status codes or any information thatmight be useful for debugging.(On a production system, that information should goonly into the log.) More subtle problems might include minor variations in wordingthat reveal unintended details.Do all database errors result in the same message, ordoes a syntax error lead to  An error has occurred while an invalid column nameleads to  A system error has occurred ? All error messages should be delivered usingthe same code path; do not allow the same text to appear in the application morethan once.(Someday a maintenance programmer might change some occurrences ofa string but not others.)9.2 HTTP Considerations 327Request ProvenanceA Web application that uses session cookies must take special precautionsto ensure that an attacker can t trick users into submitting bogus requests.Imagine a Web application running on example [ Pobierz caÅ‚ość w formacie PDF ]

zanotowane.pl

doc.pisz.pl

pdf.pisz.pl

lunamigotliwa.htw.pl