Exception Management
Exceptions that are allowed to propagate to the client can reveal internal implementation details that make no sense to the end user but are useful to attackers . Applications that do not use exception handling or implement it poorly are also subject to denial of service attacks. Top exception handling threats include:
-
Attacker reveals implementation details
-
Denial of service
Attacker Reveals Implementation Details
One of the important features of the .NET Framework is that it provides rich exception details that are invaluable to developers. If the same information is allowed to fall into the hands of an attacker, it can greatly help the attacker exploit potential vulnerabilities and plan future attacks. The type of information that could be returned includes platform versions, server names , SQL command strings, and database connection strings.
Countermeasures to help prevent internal implementation details from being revealed to the client include:
-
Use exception handling throughout your application's code base.
-
Handle and log exceptions that are allowed to propagate to the application boundary.
-
Return generic, harmless error messages to the client.
Denial of Service
Attackers will probe a Web application, usually by passing deliberately malformed input. They often have two goals in mind. The first is to cause exceptions that reveal useful information and the second is to crash the Web application process. This can occur if exceptions are not properly caught and handled.
Countermeasures to help prevent application-level denial of service include:
-
Thoroughly validate all input data at the server.
-
Use exception handling throughout your application's code base.
EAN: 2147483647
Pages: 613