Recently I encountered a failure in a web application I have used for a long time. It was a login failure. It looked something like this:
flow = 'SAML10/Forward/SSO', entryActionList = list[[AnnotAction@3fa43ee targetAction = [AssessAction@2b6f3c01 expression = environment, resultExpression = requestArea.environment], attributes = map[[empty]]], [AnnotAction@633aeb53 targetAction = [AssessAction@34b31ea7 expression = opensamlProfileRequestContext, resultExpression = requestScope.profileReqContext], attributes = map[[empty]]], [AnnotAction@6de4dac9 targetAction = [AssessAction@171e5afe expression =
Error information is the first information collected by hackers when attacking the system, it's the easiest, and it is often the most valuable. This one is a treasure trove. You can see how the server is using SAML, you can see some attributes, page flows. And those '@7890abcd' numbers? They'll tell the attacker which version of the package is running, so he can find the vulnerabilities and exploit them.
It's 2017, people. It is completely unconscionable that a web application should ever, ever show its internals to the user in an error message. We have had "error page," error-trapping mechanisms in every last web and app server for over a decade.
But wait - this is an error page!
What sort of programmer thinks it's OK to go to the trouble of coding an error page specifically to present this information? Exposing stack traces that could easily get copied around the web? Fall into the hands of attackers? Do I need Gordon Ramsay to explain things here?
And no, whiny koderz, don't beg me to put a message like this:
Everyone knows that when it starts with "0x8000" there's Microsoft inside.
And if you want to give your hapless user some sort of information when your software has busted in front, don't put any static coded string or number there. You don't want an attacker creating a catalog of all of your error codes any more than your Java or Microsoft exceptions. One-up sequence? Why, so the attacker can figure out how many bugs are crashing your system? Just do a timestamp or random hash.