OWASP - User contributions [en]

Testing for Error Code (OTG-ERR-001)

2007-02-23T03:24:17Z

Tusharvartak:

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Brief Summary ==

Often during a penetration test on web applications we come up against many error codes generated from applications or web servers.
It's possible to cause these errors to be displayed by using a particular request, either specially crafted with tools or created manually.
These codes are very useful to penetration testers during their activities because they reveal a lot of information about databases, bugs, and other technological components directly linked with web applications.
Within this section we'll analyse the more common codes (error messages) and bring into focus the steps of vulnerability assessment.
The most important aspect for this activity is to focus one's attention on these errors, seeing them as a collection of information that will aid in the next steps of our analysis. A good collection can facilitate assessment efficiency by decreasing the overall time taken to perform the penetration test.

== Description of the Issue ==

A common error that we can see during our search is the HTTP 404 Not Found.
Often this error code provides useful details about the underlying web server and associated components. For example:

<pre>
Not Found
The requested URL /page.html was not found on this server.
Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g DAV/2 PHP/5.1.2 Server at localhost Port 80
</pre>

This error message can be generated by requesting a non-existant URL.
After the common message that shows a page not found, there is information about web server version, OS, modules and other products used.
This information can be very important from an OS and application type and version identification point of view.

Web server errors aren't the only useful output returned requiring security analysis. Consider the next example error message:

<pre>
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[DBNETLIB][ConnectionOpen(Connect())] - SQL server does not exist or access denied
</pre>

What happened? We will explain step-by-step below.

In this example, the 80004005 is a generic IIS error code which indicates that it could not establish a connection to its associated database. In many cases, the error message will detail the type of the database. This will often indicate the underlying operating system by association. With this information, the penetration tester can plan an appropriate strategy for the security test.

By manipulating the variables that are passed to the database connect string, we can invoke more detailed errors.
<pre>
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Access 97 ODBC driver Driver]General error Unable to open registry key 'DriverId'
</pre>

In this example, we can see a generic error in the same situation which reveals the type and version of the associated database system and a dependence on Windows operating system registry key values.

Now we will look at a practical example with a security test against a web application that loses its link to its database server and does not handle the exception in a controlled manner. This could be caused by a database name resolution issue, processing of unexpected variable values, or other network problems.

Consider the scenario where we have a database administration web portal which can be used as a front end GUI to issue database queries, create tables and modify database fields. During POST of the logon credentials, the following error message is presented to the penetration tester that which indicates the presence of a MySQL database server:

<pre>
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[MySQL][ODBC 3.51 Driver]Unknown MySQL server host
</pre>

If we see in the HTML code of the logon page the presence of a '''hidden field''' with a database IP, we can try to change this value in the URL with the address of database server under the penetration tester's control in an attempt to fool the application into thinking that logon was successful.

Another example: knowing the database server that services a web application, we can take advantage of this information to carry out a SQL Injection for that kind of database or a persistent XSS test.

'''Error Handling in IIS and ASP .net'''

ASP .net is a common framework from Microsoft used for developing web applications. IIS is one of the commonly used web server. Errors occur in all applications, we try to trap most errors but it is alomst impossible to cover each and every exception.

IIS uses a set of custom error pages generally found in c:\winnt\help\iishelp\common to display errors like '404 page not found' to the user. These default pages can be changed and custom errors can be configured for IIS server. when IIS receives request for an aspx page it is passed on to the dot net framework.

There are various ways by which errors can be handled in dot net framework. Errors are handled at three places in ASP .net

1. Inside Web.config customErrors section
2. Inside global.asax Application_Error Sub
3. at the the aspx or associated codebehind page in the Page_Error sub

'''Handling errors using web.config'''

<pre>
<customErrors defaultRedirect="myerrorpagedefault.aspx" mode="On|Off|RemoteOnly">
<error statusCode="404" redirect="myerrorpagefor404.aspx"/>
<error statusCode="500" redirect="myerrorpagefor500.aspx"/>
</customErrors>
</pre>

mode="On" will turn on custom errors. mode=RemoteOnly will show custome errors to the remote web application users. a user accessing the server locally will be presented by the complete stack trace and custom errors will not be shown to him.

all the errors unless explicitly specified will be brought to defaultRedirect i.e. myerrorpagedefault.aspx.

a statuscode 404 will be shown myerrorpagefor404.aspx.

'''Handling errors in Global.asax'''

When an error occurs, the Application_Error sub is called. A developer can write code for error handling / page redirection in this sub.

<pre>
Private Sub Application_Error (ByVal sender As Object, ByVal e As System.EventArgs)
Handles MyBase.Error
End Sub
</pre>

''''Handling errors in Page_Error sub'''

This is similiar to application error.

<pre>
Private Sub Page_Error (ByVal sender As Object, ByVal e As System.EventArgs)
Handles MyBase.Error
End Sub
</pre>

'''Error hierarchy in ASP .net'''

Page_Error sub will be processed first, global.asax Application_Error sub and finally customErrors section in web.config file will be processed.

Information Gathering on web applications with server-side technology is quite difficult, but the information discovered can be useful for the correct execution of an attempted exploit (for example, SQL injection or Cross Site Scripting (XSS) attacks)and can reduce false positives.

'''How to test for ASP.net and IIS Error Handling'''

Fire up your browser and type a random page name

<pre>
Http:\\www.mywebserver.com\anyrandomname.asp
<\pre>

if the server returns

<pre>
The page cannot be found

HTTP 404 - File not found
Internet Information Services
</pre>

it means IIS custom errors are not configured. Please note the .asp extension.

Also test for .net custom errors. type a random page name with aspx extension in your browser

<pre>
Http:\\www.mywebserver.com\anyrandomname.'''aspx'''
<\pre>

if the server returns

<pre>
Server Error in '/' Application.
--------------------------------------------------------------------------------

The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
</pre>

custom errors for .net are not configured.

== Black Box testing and example ==

'''Test:'''
<pre>
telnet <host target> 80
GET /<wrong page> HTTP/1.1
<CRLF><CRLF>
</pre>
'''Result:'''
<pre>
HTTP/1.1 404 Not Found
Date: Sat, 04 Nov 2006 15:26:48 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
</pre>
'''Test:'''
<pre>
1. Network problems
2. Bad configuration about host database address
</pre>
'''Result:'''
<pre>
Microsoft OLE DB Provider for ODBC Drivers (0x80004005) '
[MySQL][ODBC 3.51 Driver]Unknown MySQL server host
</pre>
'''Test:'''
<pre>
1. Authentication failed
2. Credentials not inserted
</pre>
'''Result:'''

Firewall version used for authentication: 
<pre>
Error 407
FW-1 at <firewall>: Unauthorized to access the document.
• Authorization is needed for FW-1.
• The authentication required by FW-1 is: unknown.
• Reason for failure of last attempt: no user
</pre>

== Gray Box testing and example ==

'''Test:'''

Enumeration of the directories with access denied: 
<pre>
http://<host>/<dir>
</pre>
'''Result:'''
<pre>
Directory Listing Denied
This Virtual Directory does not allow contents to be listed.
</pre>
<pre>
Forbidden
You don't have permission to access /<dir> on this server.
</pre>

== References ==

* [1] [[http://www.ietf.org/rfc/rfc2616.txt?number=2616 RFC2616]] Hypertext Transfer Protocol -- HTTP/1.1

{{Category:OWASP Testing Project AoC}}

Testing Guide Frontispiece

2007-02-23T03:09:13Z

Tusharvartak: /* Authors */

{{Template:OWASP Testing Guide v2}}

==Welcome to the OWASP Testing Guide 2.0==
“Open and collaborative knowledge: that’s the OWASP way” 
-- [[User:Mmeucci|Matteo Meucci]] 

OWASP thanks the many authors, reviewers, and editors for their hard work in bringing this guide to where it is today. If you have any comments or suggestions on the Testing Guide, please e-mail the Testing Guide mail list:

http://lists.owasp.org/mailman/listinfo/owasp-testing

==Copyright and License==

Copyright (c) 2006 The OWASP Foundation.

This document is released under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons 2.5 License]. Please read and understand the license and copyright conditions.

==Revision History ==

The Testing guide originated in 2003 with Dan Cuthbert as one of the original editors. It was handed over to Eoin Keary in 2005 and transformed into a wiki. Matteo Meucci has decided to take on the Testing guide and is now the lead of the OWASP Testing Guide Autumn of Code (AoC) effort.

; December 25, 2006
: "OWASP Testing Guide", Version 2.0

; July 14, 2004
: "OWASP Web Application Penetration Checklist", Version 1.1

; December 2004
: "The OWASP Testing Guide", Version 1.0

== Editors ==
'''Eoin Keary''': OWASP Testing Guide 2005-2007 Lead. 

'''Matteo Meucci''': OWASP Testing Guide "Autumn of Code" 2006 Lead. Testing Guide 2007 Lead. 

== Authors ==

{| border="0"
| valign="top" |
* Vicente Aguilera
* Mauro Bregolin
* Tom Brennan
* Gary Burns
* Luca Carettoni
* Dan Cornell
* Mark Curphey
* Daniel Cuthbert
* Sebastien Deleersnyder
* Stephen DeVries
* Stefano Di Paola
| valign="top" |
* David Endler
* Giorgio Fedon
* Javier Fernández-Sanguino
* Glyn Geoghegan
* Stan Guzik
* Madhura Halasgikar
* Eoin Keary
* David Litchfield
* Andrea Lombardini
* Ralph M. Los
* Claudio Merloni
| valign="top" |
* Matteo Meucci
* Marco Morana
* Laura Nunez
* Gunter Ollmann
* Antonio Parata
* Yiannis Pavlosoglou
* Carlo Pelliccioni
* Harinath Pudipeddi
* Alberto Revelli
* Mark Roxberry
* Tom Ryan
| valign="top" |
* Anush Shetty
* Larry Shields
* Dafydd Studdard
* Andrew van der Stock
* Ariel Waissbein
* Jeff Williams
* Tushar Vartak
|}

== Reviewers ==

{| border="0"
| valign="top" |
* Vicente Aguilera
* Marco Belotti
| valign="top" |
* Mauro Bregolin
* Marco Cova
| valign="top" |
* Daniel Cuthbert
* Paul Davies
| valign="top" |
* Stefano Di Paola
* Matteo G.P. Flora
| valign="top" |
* Simona Forti
* Darrell Groundy
| valign="top" |
* Eoin Keary
* James Kist
| valign="top" |
* Katie McDowell
* Marco Mella
| valign="top" |
* Matteo Meucci
* Syed Mohamed A.
| valign="top" |
* Antonio Parata
* Alberto Revelli
| valign="top" |
* Mark Roxberry
* Dave Wichers
|}

==Trademarks==

* Java, Java Web Server, and JSP are registered trademarks of Sun Microsystems, Inc.
* Merriam-Webster is a trademark of Merriam-Webster, Inc.
* Microsoft is a registered trademark of Microsoft Corporation.
* Octave is a service mark of Carnegie Mellon University.
* VeriSign and Thawte are registered trademarks of VeriSign, Inc.
* Visa is a registered trademark of VISA USA.
* OWASP is a registered trademark of the OWASP Foundation

All other products and company names may be trademarks of their respective owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.

{{Category:OWASP Testing Project AoC}}

Testing for Error Code (OTG-ERR-001)

2007-02-23T03:07:56Z

Tusharvartak: /* Description of the Issue */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Brief Summary ==

Often during a penetration test on web applications we come up against many error codes generated from applications or web servers.
It's possible to cause these errors to be displayed by using a particular request, either specially crafted with tools or created manually.
These codes are very useful to penetration testers during their activities because they reveal a lot of information about databases, bugs, and other technological components directly linked with web applications.
Within this section we'll analyse the more common codes (error messages) and bring into focus the steps of vulnerability assessment.
The most important aspect for this activity is to focus one's attention on these errors, seeing them as a collection of information that will aid in the next steps of our analysis. A good collection can facilitate assessment efficiency by decreasing the overall time taken to perform the penetration test.

== Description of the Issue ==

A common error that we can see during our search is the HTTP 404 Not Found.
Often this error code provides useful details about the underlying web server and associated components. For example:

<pre>
Not Found
The requested URL /page.html was not found on this server.
Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g DAV/2 PHP/5.1.2 Server at localhost Port 80
</pre>

This error message can be generated by requesting a non-existant URL.
After the common message that shows a page not found, there is information about web server version, OS, modules and other products used.
This information can be very important from an OS and application type and version identification point of view.

Web server errors aren't the only useful output returned requiring security analysis. Consider the next example error message:

<pre>
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[DBNETLIB][ConnectionOpen(Connect())] - SQL server does not exist or access denied
</pre>

What happened? We will explain step-by-step below.

In this example, the 80004005 is a generic IIS error code which indicates that it could not establish a connection to its associated database. In many cases, the error message will detail the type of the database. This will often indicate the underlying operating system by association. With this information, the penetration tester can plan an appropriate strategy for the security test.

By manipulating the variables that are passed to the database connect string, we can invoke more detailed errors.
<pre>
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Access 97 ODBC driver Driver]General error Unable to open registry key 'DriverId'
</pre>

In this example, we can see a generic error in the same situation which reveals the type and version of the associated database system and a dependence on Windows operating system registry key values.

Now we will look at a practical example with a security test against a web application that loses its link to its database server and does not handle the exception in a controlled manner. This could be caused by a database name resolution issue, processing of unexpected variable values, or other network problems.

Consider the scenario where we have a database administration web portal which can be used as a front end GUI to issue database queries, create tables and modify database fields. During POST of the logon credentials, the following error message is presented to the penetration tester that which indicates the presence of a MySQL database server:

<pre>
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[MySQL][ODBC 3.51 Driver]Unknown MySQL server host
</pre>

If we see in the HTML code of the logon page the presence of a '''hidden field''' with a database IP, we can try to change this value in the URL with the address of database server under the penetration tester's control in an attempt to fool the application into thinking that logon was successful.

Another example: knowing the database server that services a web application, we can take advantage of this information to carry out a SQL Injection for that kind of database or a persistent XSS test.

'''Error Handling in IIS and ASP .net'''

ASP .net is a common framework from Microsoft used for developing web applications. IIS is one of the commonly used web server. Errors occur in all applications, we try to trap most errors but it is alomst impossible to cover each and every exception.

IIS uses a set of custom error pages generally found in c:\winnt\help\iishelp\common to display errors like '404 page not found' to the user. These default pages can be changed and custom errors can be configured for IIS server. when IIS receives request for an aspx page it is passed on to the dot net framework.

There are various ways by which errors can be handled in dot net framework. Errors are handled at three places in ASP .net

1. Inside Web.config customErrors section
2. Inside global.asax Application_Error Sub
3. at the the aspx or associated codebehind page in the Page_Error sub

'''Handling errors using web.config'''

<pre>
<customErrors defaultRedirect="myerrorpagedefault.aspx" mode="On|Off|RemoteOnly">
<error statusCode="404" redirect="myerrorpagefor404.aspx"/>
<error statusCode="500" redirect="myerrorpagefor500.aspx"/>
</customErrors>
</pre>

mode="On" will turn on custom errors. mode=RemoteOnly will show custome errors to the remote web application users. a user accessing the server locally will be presented by the complete stack trace and custom errors will not be shown to him.

all the errors unless explicitly specified will be brought to defaultRedirect i.e. myerrorpagedefault.aspx.

a statuscode 404 will be shown myerrorpagefor404.aspx.

'''Handling errors in Global.asax'''

When an error occurs, the Application_Error sub is called. A developer can write code for error handling / page redirection in this sub.

<pre>
Private Sub Application_Error (ByVal sender As Object, ByVal e As System.EventArgs)
Handles MyBase.Error
End Sub
</pre>

''''Handling errors in Page_Error sub'''

This is similiar to application error.

<pre>
Private Sub Page_Error (ByVal sender As Object, ByVal e As System.EventArgs)
Handles MyBase.Error
End Sub
</pre>

'''Error hierarchy in ASP .net'''

Page_Error sub will be processed first, global.asax Application_Error sub and finally customErrors section in web.config file will be processed.

Information Gathering on web applications with server-side technology is quite difficult, but the information discovered can be useful for the correct execution of an attempted exploit (for example, SQL injection or Cross Site Scripting (XSS) attacks)and can reduce false positives.

== Black Box testing and example ==

'''Test:'''
<pre>
telnet <host target> 80
GET /<wrong page> HTTP/1.1
<CRLF><CRLF>
</pre>
'''Result:'''
<pre>
HTTP/1.1 404 Not Found
Date: Sat, 04 Nov 2006 15:26:48 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
</pre>
'''Test:'''
<pre>
1. Network problems
2. Bad configuration about host database address
</pre>
'''Result:'''
<pre>
Microsoft OLE DB Provider for ODBC Drivers (0x80004005) '
[MySQL][ODBC 3.51 Driver]Unknown MySQL server host
</pre>
'''Test:'''
<pre>
1. Authentication failed
2. Credentials not inserted
</pre>
'''Result:'''

Firewall version used for authentication: 
<pre>
Error 407
FW-1 at <firewall>: Unauthorized to access the document.
• Authorization is needed for FW-1.
• The authentication required by FW-1 is: unknown.
• Reason for failure of last attempt: no user
</pre>

== Gray Box testing and example ==

'''Test:'''

Enumeration of the directories with access denied: 
<pre>
http://<host>/<dir>
</pre>
'''Result:'''
<pre>
Directory Listing Denied
This Virtual Directory does not allow contents to be listed.
</pre>
<pre>
Forbidden
You don't have permission to access /<dir> on this server.
</pre>

== References ==

* [1] [[http://www.ietf.org/rfc/rfc2616.txt?number=2616 RFC2616]] Hypertext Transfer Protocol -- HTTP/1.1

{{Category:OWASP Testing Project AoC}}