Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
None
-
None
-
Reviewed
Description
Uncaught server exceptions occur when providing parameter values that the server or servlet does not understand.
Physical paths, versioning information, stack traces' content, and other data can be gathered and used to help further an attack when improper error handling is present.
Applications should always fail safe in their designs. If an application fails to an unknown state, it is likely that an attacker may be able to exploit this indeterminate state to access unauthorized functionality, or worse, create, modify or destroy data. Error messages may also aid in the identification of other attacks such as buffer overflows and SQL injection, and can generally contribute to an overall weaker security posture.
For example, if we use a HTTPS web server and explicitly provide Host header with a wrong value, say attackers.com, we get the following response in UI:
<html> <head> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/> <title>Error 400 Host does not match SNI</title> </head> <body><h2>HTTP ERROR 400 Host does not match SNI</h2> <table> <tr><th>URI:</th><td>/tablesDetailed.jsp</td></tr> <tr><th>STATUS:</th><td>400</td></tr> <tr><th>MESSAGE:</th><td>Host does not match SNI</td></tr> <tr><th>SERVLET:</th><td>-</td></tr> <tr><th>CAUSED BY:</th><td>org.apache.hbase.thirdparty.org.eclipse.jetty.http.BadMessageException: 400: Host does not match SNI</td></tr> </table> <h3>Caused by:</h3><pre>org.apache.hbase.thirdparty.org.eclipse.jetty.http.BadMessageException: 400: Host does not match SNI at org.apache.hbase.thirdparty.org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:279) at org.apache.hbase.thirdparty.org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:210) at org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:483) at org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732) at org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479) at org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpChannel.run(HttpChannel.java:439) at org.apache.hbase.thirdparty.org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) at org.apache.hbase.thirdparty.org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) at java.lang.Thread.run(Thread.java:750) </pre> </body> </html>
Attachments
Issue Links
- links to