SlideShare a Scribd company logo

Error codes & custom 404s

Download as PPTX, PDF
Ronan Dunne, CEH, SSCP, profile picture
Ronan Dunne, CEH, SSCP

Error codes revealed during testing can provide attackers with information about an application such as the databases and bugs. While often seen as non-security issues, error codes should be customized or removed to avoid disclosing sensitive details that could aid attackers. Standard error messages can reveal server configurations, databases in use, and other details that make applications more vulnerable.

Technology
Related topics:
Application Security IT SecurityEthical Hacking CoursesASP.NET Overview Web Design and Development
1 of 13
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
Error codes & custom 404s
Error codes & custom 404s
• Error Codes are very common during Web Application Security tests • Often seen as a non-security issue • Easy to remediate
• Error Codes can unveil a lot of information regarding an Application to an attacker • This includes: – Databases – Bugs – Server Config
– Microsoft OLE DB Provider for ODBC Drivers (0x80004005) [MySQL][ODBC 3.51 Driver]Unknown MySQL server – Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Access 97 ODBC driver Driver]General error Unable to open registry key 'DriverId‘ – Not Found The requested URL /page.html was not found on this server. Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g DAV/2 PHP/5.1.2 Server at localhost Port 80
• If a user requests a dynamic resource that does not exist (for example, an ASPX file), then the user sees the default server error message generated by ASP.NET for HTTP 404 errors:
• If an unhandled exception occurs in the application, then the user sees the default server error message generated by ASP.NET for HTTP 500 errors:
• ASP.NET web application developers call these the " "( ) • Similar to this traffic light, Users and Developers are unaware of the risk these errors can have
• Add error pages for 404 and 500 error codes from within the application configuration file (web.config) • This instruct IIS to use the specified custom pages for these error codes
Error codes & custom 404s
Error codes & custom 404s
Error codes & custom 404s
Error codes & custom 404s

More Related Content

PPTX
Unicode
Ronan Dunne, CEH, SSCP
 
PPTX
Cross site scripting XSS
Ronan Dunne, CEH, SSCP
 
PPTX
Web application attack Presentation
Khoa Nguyen
 
PPTX
Web application attacks
hruth
 
PPTX
ASP.NET View State - Security Issues
Ronan Dunne, CEH, SSCP
 
PPTX
Web Hacking Series Part 4
Aditya Kamat
 
PDF
Common Web Application Attacks
Ahmed Sherif
 
PPTX
Web Security Attacks
Sajid Hasan
 
Unicode
Ronan Dunne, CEH, SSCP
 
Cross site scripting XSS
Ronan Dunne, CEH, SSCP
 
Web application attack Presentation
Khoa Nguyen
 
Web application attacks
hruth
 
ASP.NET View State - Security Issues
Ronan Dunne, CEH, SSCP
 
Web Hacking Series Part 4
Aditya Kamat
 
Common Web Application Attacks
Ahmed Sherif
 
Web Security Attacks
Sajid Hasan
 

What's hot (20)

PPTX
Web Hacking Series Part 1
Aditya Kamat
 
ODP
XSS
Hrishikesh Mishra
 
PPTX
Web Hacking series part 2
Aditya Kamat
 
PPTX
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
PPTX
Web hacking series part 3
Aditya Kamat
 
PPTX
Automatically detecting security vulnerabilities in WordPress
Fresh Consulting
 
PPTX
Dzhengis 93098 ajax - security
dzhengo44
 
PDF
AJAX: How to Divert Threats
Cenzic
 
PDF
Hack proof your ASP NET Applications
Sarvesh Kushwaha
 
PDF
Sql Injection and XSS
Mike Crabb
 
PDF
SignalR
Sarvesh Kushwaha
 
PPTX
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
PPTX
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
PPTX
Cross Site Scripting(XSS)
Nabin Dutta
 
PDF
Pentesting RESTful webservices
Mohammed A. Imran
 
PPTX
Secure Code Warrior - Remote file inclusion
Secure Code Warrior
 
PPTX
OWASP top 10-2013
tmd800
 
PPTX
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Lostar
 
PPT
Secure Web Applications Ver0.01
Vasan Ramadoss
 
PPT
SQL injection basics
Blueinfy Solutions
 
Web Hacking Series Part 1
Aditya Kamat
 
XSS
Hrishikesh Mishra
 
Web Hacking series part 2
Aditya Kamat
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
Web hacking series part 3
Aditya Kamat
 
Automatically detecting security vulnerabilities in WordPress
Fresh Consulting
 
Dzhengis 93098 ajax - security
dzhengo44
 
AJAX: How to Divert Threats
Cenzic
 
Hack proof your ASP NET Applications
Sarvesh Kushwaha
 
Sql Injection and XSS
Mike Crabb
 
SignalR
Sarvesh Kushwaha
 
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Cross Site Scripting(XSS)
Nabin Dutta
 
Pentesting RESTful webservices
Mohammed A. Imran
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior
 
OWASP top 10-2013
tmd800
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Lostar
 
Secure Web Applications Ver0.01
Vasan Ramadoss
 
SQL injection basics
Blueinfy Solutions
 
Ad

Viewers also liked (8)

PPTX
Cross Domain Hijacking - File Upload Vulnerability
Ronan Dunne, CEH, SSCP
 
PPTX
B wapp – bee bug – installation
Ronan Dunne, CEH, SSCP
 
PPTX
Content security policy
Ronan Dunne, CEH, SSCP
 
PPT
Qr codes
Ronan Dunne, CEH, SSCP
 
PPTX
Apache Multiview Vulnerability
Ronan Dunne, CEH, SSCP
 
PPTX
Blind xss
Ronan Dunne, CEH, SSCP
 
PPTX
Kauppatieteilijöiden työttömyys 30.9.2017
Suomen Ekonomit
 
PPTX
Click jacking
Ronan Dunne, CEH, SSCP
 
Cross Domain Hijacking - File Upload Vulnerability
Ronan Dunne, CEH, SSCP
 
B wapp – bee bug – installation
Ronan Dunne, CEH, SSCP
 
Content security policy
Ronan Dunne, CEH, SSCP
 
Qr codes
Ronan Dunne, CEH, SSCP
 
Apache Multiview Vulnerability
Ronan Dunne, CEH, SSCP
 
Blind xss
Ronan Dunne, CEH, SSCP
 
Kauppatieteilijöiden työttömyys 30.9.2017
Suomen Ekonomit
 
Click jacking
Ronan Dunne, CEH, SSCP
 
Ad

Similar to Error codes & custom 404s (20)

PPTX
Make your Azure PaaS Deployment More Safe
Thuan Ng
 
PDF
Codeigniter
Joram Salinas
 
PDF
Securing the Apache web server
webhostingguy
 
PDF
Securing the Apache web server
webhostingguy
 
PDF
How to Harden the Security of Your .NET Website
DNN
 
PPTX
Web Application Security 101
Jannis Kirschner
 
ODP
Web Security
Chatree Kunjai
 
PPT
香港六合彩
taoyan
 
PDF
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
M Mehdi Ahmadian
 
PPS
Security testing
Tabăra de Testare
 
PPTX
Conectarea sgdb acces la un server oracle
pamiproject
 
PPTX
Data mining tools for excel and sql server
Sayed Ahmed
 
PPTX
Php reports sumit
Sumit Biswas
 
PDF
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
PPTX
hardenning Operating System Server Berbasis Linux
jokerman16
 
PDF
16 Web Application Penetration Testing 102.pdf
Er Kumar Dhananjay
 
PPTX
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
PDF
Web hackingtools cf-summit2014
ColdFusionConference
 
PDF
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
PPT
php databse handling
kunj desai
 
Make your Azure PaaS Deployment More Safe
Thuan Ng
 
Codeigniter
Joram Salinas
 
Securing the Apache web server
webhostingguy
 
Securing the Apache web server
webhostingguy
 
How to Harden the Security of Your .NET Website
DNN
 
Web Application Security 101
Jannis Kirschner
 
Web Security
Chatree Kunjai
 
香港六合彩
taoyan
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
M Mehdi Ahmadian
 
Security testing
Tabăra de Testare
 
Conectarea sgdb acces la un server oracle
pamiproject
 
Data mining tools for excel and sql server
Sayed Ahmed
 
Php reports sumit
Sumit Biswas
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
hardenning Operating System Server Berbasis Linux
jokerman16
 
16 Web Application Penetration Testing 102.pdf
Er Kumar Dhananjay
 
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
Web hackingtools cf-summit2014
ColdFusionConference
 
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
php databse handling
kunj desai
 

Recently uploaded (20)

PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
KodekX | Application Modernization Development
KodekX
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 

Error codes & custom 404s

  • 3. • Error Codes are very common during Web Application Security tests • Often seen as a non-security issue • Easy to remediate
  • 4. • Error Codes can unveil a lot of information regarding an Application to an attacker • This includes: – Databases – Bugs – Server Config
  • 5. – Microsoft OLE DB Provider for ODBC Drivers (0x80004005) [MySQL][ODBC 3.51 Driver]Unknown MySQL server – Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Access 97 ODBC driver Driver]General error Unable to open registry key 'DriverId‘ – Not Found The requested URL /page.html was not found on this server. Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g DAV/2 PHP/5.1.2 Server at localhost Port 80
  • 6. • If a user requests a dynamic resource that does not exist (for example, an ASPX file), then the user sees the default server error message generated by ASP.NET for HTTP 404 errors:
  • 7. • If an unhandled exception occurs in the application, then the user sees the default server error message generated by ASP.NET for HTTP 500 errors:
  • 8. • ASP.NET web application developers call these the " "( ) • Similar to this traffic light, Users and Developers are unaware of the risk these errors can have
  • 9. • Add error pages for 404 and 500 error codes from within the application configuration file (web.config) • This instruct IIS to use the specified custom pages for these error codes