Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Error codes & custom 404s
1.
2.
3. • Error Codes are very common during Web
Application Security tests
• Often seen as a non-security issue
• Easy to remediate
4. • Error Codes can unveil a lot of information
regarding an Application to an attacker
• This includes:
– Databases
– Bugs
– Server Config
5. – Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[MySQL][ODBC 3.51 Driver]Unknown MySQL server
– Microsoft OLE DB Provider for ODBC Drivers error
'80004005' [Microsoft][ODBC Access 97 ODBC driver
Driver]General error Unable to open registry key 'DriverId‘
– Not Found The requested URL /page.html was not found
on this server. Apache/2.2.3 (Unix) mod_ssl/2.2.3
OpenSSL/0.9.7g DAV/2 PHP/5.1.2 Server at localhost Port
80
6. • If a user requests a dynamic resource that
does not exist (for example, an ASPX file), then
the user sees the default server error message
generated by ASP.NET for HTTP 404 errors:
7. • If an unhandled exception occurs in the
application, then the user sees the default
server error message generated by ASP.NET
for HTTP 500 errors:
8. • ASP.NET web application developers call these
the "
"(
)
• Similar to this traffic light, Users and
Developers are unaware of the risk these
errors can have
9. • Add error pages for 404 and 500 error codes
from within the application configuration file
(web.config)
• This instruct IIS to use the specified custom
pages for these error codes