Test Methods ( Detailed Overview )

Here is a list of every test performed by Web Scan Service.

Application Error

Remediation Task

Verify that parameter values are in their expected ranges and types. Do not output debugging error messages and exceptions

WASC Classification

Application Quality Tests

Affected Products

This issue may affect different types of products

Technical Description

Often during a penetration test on web applications we come up against many error codes generated from applications or web servers. It's possible to cause these errors to be displayed by using a particular request, either specially crafted with tools or created manually. These codes are very useful to penetration testers during their activities because they reveal a lot of information about databases, bugs, and other technological components directly linked with web applications.

Fix Recommendation

[1] Check incoming requests for the presence of all expected parameters and values. When a parameter is missing, issue a proper error message or use default values. [2] The application should verify that its input consists of valid characters (after decoding). For example, an input value containing the null byte (encoded as %00), apostrophe, quotes, etc. should be rejected. [3] Enforce values in their expected ranges and types. If your application expects a certain parameter to have a value from a certain set, then the application should ensure that the value it receives indeed belongs to the set. For example, if your application expects a value in the range 10..99, then it should make sure that the value is indeed numeric, and that its value is in 10..99. [4] Verify that the data belongs to the set offered to the client. [5] Do not output debugging error messages and exceptions in a production environment.