As people become more and more comfortable with shopping, banking, and communicating online they inevitably run into all sorts of technical issues. Some of these issues are quite serious, like being unable to complete a purchase due to a malfunctioning website or losing your family pictures because the service provider’s backup system failed. Luckily, mishaps like these happen less often than before as businesses become better in developing robust and secure websites. Other issues don’t do any substantial harm to a user and can be accurately described as annoying nuisances in the midst of an otherwise smooth user experience.
Preventing website errors is important, however today I’d like to shift our readers’ attention from error prevention to error reporting: in other words, what should an end user see on his or her display when your website runs into any kind of technical issues.
Several weeks ago I encountered a well-known “page not found” issue while tending to the exciting business of paying my bills through the billpay service provided by a major US financial institution. I should say upfront that the issue didn't hinder the bill payment transactions in any way, but occurred a few minutes after I was done with my bills. I stepped out for a bit and when I got back to my computer I saw the following error screen:
For a non-technical user this error page hardly means more than some “system error”: most people will press the “back” button or close the browser window altogether. But for someone with reasonable technical knowledge and a strong determination to hack into the system (umm... hacker?) this seemingly gibberish-filled page reveals a plethora of quite useful information.
Let’s take a look at the things we can learn from this error page:
- The website uses JSP technology for its presentation layer.
- The HTTP error code 404 means the page that was supposed to be displayed wasn’t found.
- The error message clearly describes the error and contains the relative path to the missing page, thus revealing the structure of the Web application.
- The root exception stack trace reveals that the website runs on WebSphere application server, giving an attacker a chance to explore known container vulnerabilities that might be used to breach into the system.
Each of these facts gives a valuable hint to a hacker.
While at first sight it’s hard to imagine how a mundane error page could lead to a successful hack, we should remember that hackers have as much time as they want on their side. In fact, many successful breaches of the last couple of decades were meticulously planned and patiently prepared for over months if not years (as Kevin Mitnick colorfully depicted in his book The Art of Intrusion). For a determined hacker this error page is another valuable chunk of “intel” that helps to draw the big picture and plan an attack.
The moral of the story is now clear: render unto Caesar the things which are Caesar's, i.e. show the user a very generic error message. Including a link to the login page wouldn’t hurt either. Keep the dirty linen of error codes and exception stacktraces in the logs for the enjoyment of the system administrator.