Your Stack Trace, Show It To Me

posted on Tuesday, July 22, 2008 8:46 AM

Of all the reasons you need an application delivery controller capable of bi-directional inspection of application data this is one of the best. I was trying to check out the results of a poll on PollDaddy.com and ended up with this beautiful Microsoft .NET error page, filled with so much valuable information that potential attackers must even now be laughing in that "evil genius" laugh you so often hear in retro-cartoons.

This error page tells me so many things about the application, it's environment, and its associated infrastructure that it should be a crime to let this information out. I know it's a Microsoft .NET C# application, and what the underlying directory structure looks like. I know it's using a third party library for authentication and authorization (and where it's located) and I can tell you exactly what version of .NET is running (Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433).

I also get an idea of internal data structure, as a nice piece of code is included in the error page. Hmmm...looks like "user ids" are numeric in the database.

Now I'm no evil genius, so I can only imagine just how much this tells a real evil genius. I do know, however, that this simply an unacceptable security practice and that it should never happen. Ever.

We often discuss catching "errors", but that's usually wrapped around catching 404 (not found) errors. Using iRules you can easily catch 500 (Internal server errors) as well as any other HTTP status code.

And even if the status code somehow comes back as "200 OK" but the content is full of juicy application and infrastructure information, you can use iRules to deal with it. iRules can verify that the content of a page is what it should be and if isn't, you can do something about it. Rewrite it. Change it. Redirect the user to a new page. Show a page full of dancing bananas or a picture of a whale. Whatever you want.

The point is that you recognize when information that may lead to or assist in perpetrating a breach is being presented to users and that you prevent it from happening. The chances of the information being used against you is minimal, but when you have the opportunity to mitigate that risk entirely, why wouldn't you?

Technorati Tags: MacVittie,security,data scrubbing,F5,iRules,application delivery,application security,Microsoft,polldaddy.com

Posted In: Security, Development and General,

5 Comments

Feedback

7/22/2008 8:52 AM
		wow
Kevin Hooke

7/22/2008 9:05 AM
		PollDaddy is now showing a "down" page, thank goodness!
Lori MacVittie

7/23/2008 6:16 PM
		Hey Lori, yeah, this stuff is sooooo common I stopped telling the web admins about it. Not enough time in the day and heck, most of them don't appreciate the help.
Mike Fratto

9/3/2009 2:53 AM
		If Your Users See an HTTP Error Code You
Lori MacVittie

12/14/2009 11:17 AM
		@Casino Traffic Which method did you try, can you be specific? There are several in the referenced pages and we're just trying to narrow down which one might have a problem. Thanks! Lori
macvittie

Let Me Know What You Think

Please use the form below if you have any comments, questions, or suggestions.

Title:

Name:

Email: (so we can show your gravatar)

Website:

Comment: Allowed tags: blockquote, a, strong, em, p, u, strike, super, sub, code

Remember Me?

Enter the code shown above:

Please add 7 and 5 and type the answer here:

		General SOA
		SOA Delivery
		Randomness
		Web 2.0
		Security
		iRules
		iControl
		Development and General
		Monitoring/Management
		XML
		ISV Solutions
		Microsoft Solutions
		Performance
		Cloud Computing
		Virtualization
		WILS
		Infrastructure 2.0
		F5 Friday
		Data Center Feng Shui
		Dynamic Infrastructure
		Load balancing
		Service Providers
		1024 Words
		v10.2.2
		v11
		JSON
		HTML5
		Mobile
		iApp
		Availability
		Storage
		DDoS
		AppSec
		TradSec
		Marketing Madness

		February, 2012 (6)
		January, 2012 (13)
		December, 2011 (9)
		November, 2011 (12)
		October, 2011 (14)
		September, 2011 (14)
		August, 2011 (16)
		July, 2011 (12)
		June, 2011 (14)
		May, 2011 (12)
		April, 2011 (16)
		March, 2011 (16)
		February, 2011 (12)
		January, 2011 (14)
		December, 2010 (12)
		November, 2010 (14)
		October, 2010 (14)
		September, 2010 (13)
		August, 2010 (13)
		July, 2010 (18)
		June, 2010 (22)
		May, 2010 (22)
		April, 2010 (19)
		March, 2010 (23)
		February, 2010 (20)
		January, 2010 (17)
		December, 2009 (16)
		November, 2009 (20)
		October, 2009 (22)
		September, 2009 (21)
		August, 2009 (25)
		July, 2009 (18)
		June, 2009 (20)
		May, 2009 (20)
		April, 2009 (21)
		March, 2009 (23)
		February, 2009 (17)
		January, 2009 (19)
		December, 2008 (17)
		November, 2008 (18)
		October, 2008 (27)
		September, 2008 (32)
		August, 2008 (31)
		July, 2008 (30)
		June, 2008 (33)
		May, 2008 (30)
		April, 2008 (24)
		March, 2008 (5)
		February, 2008 (4)
		January, 2008 (8)
		December, 2007 (5)
		November, 2007 (6)
		October, 2007 (3)
		September, 2007 (5)
		August, 2007 (7)
		July, 2007 (7)
		June, 2007 (5)
		May, 2007 (11)
		April, 2007 (9)
		March, 2007 (7)
		February, 2007 (10)
		January, 2007 (5)
		December, 2006 (4)
		November, 2006 (8)