|
Information Leakage
Information Leakage is when a web site reveals sensitive data, such
as developer comments or error messages, which may aid an
attacker in exploiting the system. Sensitive information may be
present within HTML comments, error messages, source code, or
simply left in plain sight. There are many ways a web site can be
coaxed into revealing this type of information. While leakage does not
necessarily represent a breach in security, it does give an attacker
useful guidance for future exploitation. Leakage of sensitive
information may carry various levels of risk and should be limited
whenever possible.
In the first case of information leakage (comments left in the code,
verbose error messages, etc.), the leak may give intelligence to the
attacker with contextual information of directory structure, SQL query
structure, and the names of key processes used by the web site.
Often a developer will leave comments in the
HTML and script code to help facilitate in debugging or integration.
This information can range from simple comments detailing how the
script works, to, in the worst cases, usernames and passwords used
during the testing phase of development.
Information Leakage also applies to data deemed confidential, which
aren't properly protected by the web site. These data may include
account numbers, user identifiers (Drivers license number, Passport
number, Social Security Numbers, etc.) and user specific data
(account balances, address, and transaction history).
Insufficient Authentication, Insufficient Authorization, and secure
transport encryption also deal with protecting and enforcing proper
controls over access to data. Many attacks fall outside the scope of
web site protection such as client attacks, the "casual observer"
concerns. Information Leakage in this context deals with exposure of
key user data deemed confidential or secret that should not be
exposed in plain view even to the user. Credit card numbers are a
prime example of user data that needs to be further protected from
exposure or leakage even with the proper encryption and access
controls in place.
Example
There are three main categories of Information Leakage: Comments
left in code, verbose error messages and confidential data in plain
sight.
<![CDATA[
Comments left in code:
<TABLE border="0" cellPadding="0" cellSpacing="0"
height="59" width="591">
<TBODY>
<TR>
<!--If the image files are missing,
restart VADER -->
<TD bgColor="#ffffff" colSpan="5"
height="17" width="587"> </TD>
</TR>
]]>
Here we see a comment left by the development/QA personnel
indicating what one should do if the image files do not show up. The
security breach is the Host name of the server that is mentioned
explicitly in the code, "VADER"..
An example of a verbose error message can be the response to an
invalid query. A prominent example is the error message associated
with SQL queries. SQL Injection attacks typically require the attacker
to have prior knowledge of the structure or format used to create SQL
queries on the site. The information leaked by a verbose error
message can provide the attacker the crucial information on how to
construct valid SQL queries for the backend database.
The following was returned when placing an apostrophe into the
username filed of a login page:
<![CDATA[
Verbose error message:
An Error Has Occurred.
Error Message:
System.Data.OleDb.OleDbException: Syntax error (missing
operator) in query expression 'username = ''' and password =
'g''. at
System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling (
Int32 hr) at
System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult
( tagDBPARAMS dbParams, Object& executeResult) at
]]>
In the first error statement a syntax error is reported. The error
message reveals the query parameters that are used in the SQL
query: username and password. This leaked information is the
missing link for an attacker to begin to construct SQL Injection attacks
against the site.
References
"Best practices with custom error pages in .Net", Microsoft Support
http://support.microsoft.com/default.aspx?scid=kb;en-us;834452
"Creating Custom ASP Error Pages", Microsoft Support
http://support.microsoft.com/default.aspx?scid=kb;en-us;224070
"Apache Custom Error Pages", Code Style
http://www.codestyle.org/sitemanager/apache/errors-Custom.shtml
"Customizing the Look of Error Messages in JSP", DrewFalkman.com
http://www.drewfalkman.com/resources/CustomErrorPages.cfm
ColdFusion Custom Error Pages
http://livedocs.macromedia.com/coldfusion/6/
Developing_ColdFusion_MX_Applications_with_CFML/Errors6.htm
Obfuscators :
JAVA
http://www.cs.auckland.ac.nz/~cthombor/Students/hlai/hongying.pdf
|
