Error handling is a mechanism used to resolve/handle errors that arise during the execution of a program. Error handling deals with these events to avoid the program or system crashing; exceptions would disrupt the normal flow of an application without this process. Even if an application is completely standalone, there is the potential for a fault with the computer’s storage or RAM that could affect execution. Therefore, during the execution of a program, interferences from errors must be considered while developing them.
Improper Error Handling:
Improper error handling occurs when errors are improperly handled, resulting in errors being displayed to the end user, which produces undesirable responses to the user and opens the room for exploits being made to capitalize on these vulnerabilities. This is why extensive efforts are made during the development cycle of an application to ensure that no information about the processing within the application is leaked throughout its execution. But the presence of such errors puts all those efforts in vain. Such errors could arise due to null pointer exceptions, system call failure, Out of memory, network timeout, database unavailability, and many other execution interruptions.
Improper Error Handling Working:
Improper handling can completely malfunction the workings of a program or a website. In the case of websites, improper error handling could leak information regarding the type of error produced, which provides insight to the hacker on the types of attacks to use. In the case of programs, it could either result in crashes or unexpected results. The problem with the presence of such errors is that they can be reproduced in the future if the same conditions are met. This provides time for the hacker to make exploit it.
Error Handling Attack & Defense Examples:
Here’s an example of an OWASP HTTP 404 Not Found error that reveals sensitive information.
Not Found The requested URL /page.html was not found on this server. Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g DAV/2 PHP/5.1.2 Server at localhost Port 80
This error message is generated when a user requests a URL that doesn’t exist. This code not only informs the user that an error occurred and the file cannot be found, but also provides valuable information about the web server version, operating system, modules, and code used. Attackers can use this information to design attacks.
How To Handle Errors Properly?
Improper error handling can easily be prevented by making use of the following pointers:
- Policies on logging errors must be devised.
- Abstracting the workings behind interfaces.
- Using generalized exception handling as opposed to specific exception handling.
- Testing the programs on a wide range of test cases
- Producing a failsafe mechanism to encounter problems occurred due to unexpected errors.