T 4.85 Lack of or poor error handling by web applications

If errors occur during operation of the web application, this can have unforeseen effects and limit the availability of the web application or even make it unavailable. Incomplete execution of tasks, loss of temporarily cached states and data or failure of security mechanisms are possible results. In case of failure to handle errors correctly both the operation of the web application and the protection of the functions and data are no longer ensured.

Examples:

• During operation, a web application usually uses resources such as open network or file streams in order to be able to access background systems, cached states or other data. While the web application accesses these resources they are often reserved for exclusive access and cannot be used by other processes. If in case of an error the reserved resources are not correctly released, then they may remain in a blocked condition. This may result in the loss of data due to, for example, cached changes not being able to be written correctly.

• If errors occur during execution of the security components (e.g. authentication, authorisation) and if these are poorly handled, this may lead to uncontrolled execution of the requested tasks. Tasks normally declined may be allowed in the event of an error.

• Error messages can contain detailed information on the cause of the error which is not required by the user but allows targeted attacks. Such detailed information includes stack traces, debugging output, error messages in case of invalid SQL queries, information on web servers and other application components used. Even seemingly uncritical information such as the notification in case of a failed login attempt with user name and password that the user name is known but an invalid password was entered can be exploited, for example, in brute-force attacks. In this case the attacker knows that the user name exists.

• If the error handling is performed on the client (e.g. web browser), it can be manipulated or disabled. An attacker can thus influence and control the handling of the errors.