The Tale of Information Disclosure via error reporting

“Error Reporting” is used to generate the errors a program is causing. We can use this to find the problematic statements in the program such as Variable not initialized, Stack trace related errors, and kernel related errors. So it’s a very good function to detect and remediate the runtime errors. Generally developers did it in the developing phase.

To know more why a specific error has been caused..Some organizations keep this feature compulsory in the initial phase of development and try to make it simple so more users will report the errors.

But think about that condition where developers forget to remove it and the application was deployed in the live environment, at that time an attacker can take advantage of it and look for the sensitive information about the application. It can help him in the information gathering phase.

Error reporting imposes a high risk on application as it discloses some highly sensitive information.It will increase unnecessary overhead if some valuable data is disclosed.This type of process creates so many logs on the database. Sometimes the SOC admin finds it a tedious task to work on that data as these logs don’t pose any risks.

Note: In this blog, we are taking the example of the PHP language as a base we will be using its syntax

Error_reporting():

Syntax: error_reporting(“E_ALL”); or error_reporting(“-1”);

If we gave -1 it will give same results as E_ALL and it stands for all possible parameters of the error reporting function.

There are a couple of methods we are discussing one by one.

die():

Syntax: die(“Error should be reported”);

As soon as the “die()” function is invoked it will stop the further execution of the program and will prompt the error so our resources will not be wasted in execution of the program.

trigger_error():

If the developer wants to divert, where the error should have to be reported. This function will trigger non-fatal errors on the system by default. We can override the error level if we want to check more severe errors.

Syntax: trigger_error(“Error”); : Here, error level is handled by E_USER_NOTICE.

2. Syntax: trigger_error(“Error”, E_USER_ERROR); : Here, developer can control the error level. We can use exception function to catch these errors.

While testing an application, there was a functionality where users can post their comments. In order to explore more I have entered all the parameters in form with my registered email id. I started interception on my burp suite and intercepted the request

The intercepted request looks like:

So in this request we have everything which I have entered in the form. Lets try to modify the email id to a non existing one and I passed an invalid character in the request such as “ ‘ “

After adding the invalid parameter and a non existing email id, a error has been occurred and it showed me some of the sensitive information such as the SQL query that is being used

Developers can remove “debug” mode when deploying the applications in the production.Can use the “error_reporting()” function of PHP that specifies which errors need to be reported. In PHP we have different levels of error reporting such as:<?php Error_reporting(0); ?> : If developer passes zero in “error_reporting”It means that if any errors has been generated due to improper access of the program then nothing will be displayed on the UI.<?php error_reporting(E_ERROR | E_WARNING | E_PARSE); ?> : it will show simple errors on the page, such as warnings.<?php error_reporting(E_ALL); ?> : This option will show all the PHP errors generated by the program.<?php error_reporting(E_ALL & ~E_NOTICE); ?> : This option will show errors on UI except the E_NOTICE.