HTTP error codes are BAD

Posted: 15.11.2010 in Security

When I am doing testing for web applications, I am also following what kind of error codes it is returning to browser. Many times I submit bug report if there is more than one different kind of code (in case where redirect is not use) and recommend that only 404 is used. Why?

Unfortunately the error codes are revealing possible security issues from the application. In worst case they help to iterate what kind of bugs exist at system. E.g. if I get code 500, it is server error. It is very likely that there is some kind of SQL injection or some other nasty and bad error. So it is good to start iterating the behaviour after that.

The worse problem are error codes which are telling about permission inside the system. If I get 404 it tells that resource doesn’t exist. But if I get 403, I know that resource very likely exists, but I don’t have access to it. At one project I managed to identify directory structure with error codes quite well. And at the end I found JPS-snippets which were submitted to browser as that, no interpreting at the server. And those revealed how JSP-files could be called without extra filtering. If /META-INF and /WEB-INF  had returned 404, I wouldn’t have been able to do that much iterations. (It also returned non-404 for all sub-directories and files under those directories. I finally found …/html/… -directory, which contained JSP-snippets with non-JSP-extension. They were including JSP-files and revealing hidden GET-parameters which they accepted. After that calling directly those I managed to get JSP executed. I submitted the bug report at high critical.)

These error codes doesn’t have to be at browser output. It is enough if they are returned at response headers. The text cannot lie if the correct error code is at any header. And why should browser know what kind of error happened inside the system, if the error code is not used to anything like redirect or popping up the authentication dialog? Result is meant for the administrators and developers, but they can get the result from logs. They acctually should have stack dumps and other debug information at their side instead of user’s side.

So as the curious and evil tester – I test all kind of crazy ideas. Many times the results are unexpected.

Do you have any real life example, where error code 500 has provided any useful information for the user?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s