Tweak Your Biz » Technology » Securing your website by handling errors

Securing your website by handling errors



Recently, I wrote the first in a series of blogs on website security and I would like to continue this series with a look at website security and error handling.

When a website is being attacked by a hacker, one attack approach is to cause the website to fail in some manner. The thinking behind this approach is to use the error message to gain ‘inside’ information about the website. With this information, the attacker is planning to better organise their attacks on the website. Structured error handling is important for website security

Error messages can provide detailed information and in the wrong hands…

Error messages, by default, are designed to provide all the necessary information to help resolve the error. However, in the wrong hands, this type of content can provide ‘valuable’ information on how the website operates in addition to access to privacy related information on customers and transactions.

Using this sample database error message from a blog by Securiteam on sql injection as an example; by causing the error, a hacker can see that the first table name in the database  is called ‘admin_login’.

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07′
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value ‘admin_login’ to a column of data type int.
/index.asp, line 5

With a subsequent query, it can be possible to start to extract the column names of this table, as the example shows the column name ‘login_id’.

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07′
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value ‘login_id’ to a column of data type int.
/index.asp, line 5

In this example, with the names of the table and columns, it would be possible for a hacker to easily get access to login ids and passwords for the website.

The best defence is…

The best place to start to ensure that any error messages are handled securely is when the website is being designed and developed. As the website requirements are being discussed, any related exceptions that may cause an error should also be documented.

For example, in the previous website security blog I discussed the importance of data validation to ensure that no inappropriate data inputs could be used to attack a website. In such a scenario, rather than having the website failing and producing an internal error message such as in the above example, a user friendly message should be displayed, indicating the expected format and length of input.

Test and test again…

During the testing of the website, security testing using different attack scenarios should be completed to test the strength of your website by simulating a series of different attack methods and reviewing the results to detect and correct any weaknesses. These penetration testing scenarios should cover both typical attack methods, along with any unexpected attacks or errors. To ensure that the ‘unexpected’ errors are tested, brainstorming sessions involving developers and business owners who know their user community will be necessary, where the focus is on uncovering any unusual and unexpected user actions.

Fail safe is key

When designing the website, an important principle to include is to ensure that if an error occurs, sufficient information is provided to guide the user with no information on any server or software related topics (i.e. the website has ‘failed’ into a safe mode). In addition, all errors should be handled in a structured manner, so that irrespective where an error occurs on a website, the response is the same and managed in a consistent manner. Check your site's business logic to ensure no weaknesses

Business logic not the code can be the problem

When reviewing your website for potential weaknesses, it’s more important to assess the logic of your workflows, as the logic is the foundation for your code. The logic is driven by the business rules of the functions being provided by the website. Two examples of possible mis-use of logic include;

  • The provision of a password reminder function to assist legitimate users who may have forgotten their passwords. To ensure that such a function is not abused by a hacker, a captcha function can be included to prevent any brute force attacks.
  • The assumption that a withdrawal amount entered into an online banking service will be positive, thus leaving the possibility that a negative amount will trigger a credit to a person’s account. A data validation check on the entered value should resolve this potential weakness

As with all security principles, if time and effort is put in at the early stages of a website or application, it provides the foundation for a secure website. So in the enthusiasm to get your website live, taking some time at the start to ensure that any potential weaknesses are removed and that any unexpected errors are managed in a fail-safe manner is well worth the investment.



Sponsored Content

The Author:

Richard is a believer and advises companies on the use of Cloud services, Agile and Lean start-up principles. His focus is on innovative solutions that bring practical business benefits. He has over 18 years experience in a variety of IT roles, including over 10 years management experience working for companies such as IBM Software, Oracle & KPMG Consulting. In his various roles, his focus has been on rolling out innovative IT solutions and services, using user centered design to deliver practical business benefits. Richie is a PMI certified Project Management Professional and a certified Scrummaster. http://www.rbconsulting.ie

Add Your Comment

  • Brendan McCoy

    Timely reminder to all sites that they need to test their error handling as well as their front end functionality during UAT.

  • http://www.btbtraining.com/blog Niall Devitt

    Hi Richie, This is another important post and people should take the time to read it. Us non-techies sometimes switch off at any technical jargon, but this is such a big issue that’s it’s not something any of us can afford to do.

  • http://blog.myprojecttracker.com Barney Austen

    Hi Richie. Great reminder, as Brendan says, to ensure the security testing is part of the UAT and development process. I suspect that many would think that “sure why would anyone want to hack my site – it’s too small” – but often these are the least protected and so more open for abuse.
    Thanks for sharing.

  • http://www.seefincoaching.com/blog Elaine Rogers

    Stark reminder there Richie – would it be incorrect to presume that a developer would accommodate for the handling of basic errors or potential problems, or is it a case of take nothing for granted with your web developer / SEO expert and ensure they are dealing with potential issues?

    Should it be quoted as part of the service or is it normally “exrtra”?

  • http://twitter.com/rbconsulting Richie Bowden

    Elaine / Brendan / Barney & Niall,

    Thanks for the comments.

    Elaine, to your point, most developers will provide for this type of testing, but it’s no harm for the customer to check the scope of testing that is to be done. From talking with developers, there are times, when the customer will say ” I’m not paying for that” or (to Barney’s point), our website will be fine.

    Another important point which a customer needs to be aware of, relates to the section on business logic that the customer wants on the website – certain logic can be used in an underhand way so as well as the code the logic needs to be reviewed.

    Richie

  • http://twitter.com/rbconsulting Richie Bowden

    To all at Fame Foundry in the US,

    Thanks for the comment and endorsement.

    Richie

  • http://www.businesssecurityinformation.com Sean

    How true, error messages are what is used by many in the reconnaissance phase of trying to attack a website.u00a0 The error messages can provide a wealth of information regarding what type of server and version of software is being run on the server etc.u00a0 This type of information can really help when trying to attack a website etc.u00a0 Thanks for the info.u00a0

  • http://www.smartsolutions.ie/blog/ Elaine Rogers

    One very important aspect for small businesses is ~ “If you do not ask, you might not get” Certainly it is not a given, that when you bill a client with “30 days Credit” stamped on the invoice, that the money just magically appears in your bank account in 31 days.nnSmall businesses must be VERY pro-active in getting paid, ever before they consider hiring in the heavies, but once every channel has been used, it is imperative to hire the right people – thanks for sharing some great tips there Dave.

  • http://www.securitycamera-ny.com camera-ny

    nice post about website safety. but I thing nobody can do 100% safe.