Improper Error Handling

Check List

Methodology

Black Box

Improper Error Handling Leading to Information Disclosure

Navigate to the target web application and identify accessible API endpoints

Interact with the API endpoint by submitting malformed or unexpected input in request parameters

GET /api/v1/login?user=admin'-- HTTP/1.1
Host: example.com

Observe the server response and check for detailed error messages returned by the API

{
  "error": "SQL syntax error in users_db at 10.0.0.1",
  "query": "SELECT * FROM users WHERE username = 'admin'--'"
}

Analyze the response for sensitive information such as Internal database names, Internal IP addresses, SQL queries or Valid usernames or system structure

Repeat the request with different malformed inputs to determine whether additional internal system information is disclosed

If the API response exposes internal database details, system architecture, or query structures through verbose error messages, the Information Disclosure vulnerability is confirmed

Information Disclosure via Improper Error Handling

Navigate to the target web application and identify an endpoint that accepts user-supplied input

GET /product?productId=1 HTTP/1.1
Host: example.com

Confirm that the application responds normally when a valid numeric value is provided

Modify the request by replacing the numeric parameter value with an invalid string input

GET /product?productId=test HTTP/1.1
Host: example.com

Send the modified request to the server

Observe the server response and check whether a 500 Internal Server Error is returned

Scroll through the stack trace output and identify any exposed sensitive information such as Framework name or Internal file paths and ...

White Box

Cheat Sheet

PreviousError Handling NextStack Traces

Last updated 1 month ago

hashtagCheck List

hashtagMethodology

hashtagBlack Box

hashtagImproper Error Handling Leading to Information Disclosure

hashtagInformation Disclosure via Improper Error Handling

hashtagWhite Box

hashtagCheat Sheet