Don t Tell the Attacker Too Much When You Fail | Writing Secure Code, Second Edition

Don't Tell the Attacker Too Much When You Fail

The .NET environment offers wonderful debug information when code fails and raises an exception. However, the information could be used by an attacker to determine information about your server-based application, information that could be used to mount an attack. One example is the stack dump displayed by code like this:

try { // Do something. } catch (Exception e) { Result.WriteLine(e.ToString()); }

It results in output like the following being sent to the user:

System.Security.SecurityException: Request for the permission of type System.Security.Permissions.FileIOPermission... at System.Security.SecurityRuntime.FrameDescHelper(...) at System.Security.CodeAccessSecurityEngine.Check(...) at System.Security.CodeAccessSecurityEngine.Check(...) at System.Security.CodeAccessPermission.Demand() at System.IO.FileStream..ctor(...) at Perms.ReadConfig.ReadData() in c:\temp\perms\perms\class1.cs:line 18

Note that the line number is not sent other than in a debug build of the application. However, this is a lot of information to tell anyone but the developers or testers working on this code. When an exception is raised, simply write to the Windows event log and send the user a simple message saying that the request failed.

try { // Do something. } catch (Exception e) { #if(DEBUG) Result.WriteLine(e.ToString()); #else Result.WriteLine("An error occurred."); new LogException().Write(e.ToString()); #endif } public class LogException { public void Write(string e) { try { new EventLogPermission( EventLogPermissionAccess.Instrument,  "machinename").Assert(); EventLog log = new EventLog("Application"); log.Source="MyApp"; log.WriteEntry(e, EventLogEntryType.Warning); } catch(Exception e2) { //Oops! Can't write to event log. } } }

Depending on your application, you might need to call EventLogPermission( ).Assert, as shown in the code above. Of course, if your application does not have the permission to write to the event log, the code will raise another exception.