Poor error-handling mechanisms – Security Testing Handbook for Banking Applications

2: Basic Tests and Techniques
42
the organisation has a stronger password policy then the
application password policy must be configured to a similar
strength.
Poor error-handling mechanisms
When the application, the web server or the database
receives data in an unexpected form, they throw an error
message. If the software is not programmed to either block
or sanitise these messages, important information about the
respective component can be revealed to the user. These
error messages could be used by an attacker to craft further
attacks. In a penetration test, numerous SQL injection test
cases are crafted to deliberately cause the application to
throw error messages. These messages will help the
attacker to modify the SQL query and retrieve data from the
database.
Solution
Create a generic error-handling procedure. This procedure
must be called every time a malformed query or request is
sent to the application. It should catch any error message
generated by the application, web server or the database
and show a generic error message instead and log the user
out.