application error disclosure
2,402 views
Skip to first unread message
Green
Apr 6, 2017, 5:11:53 AM4/6/17
to OWASP ZAP User Group
Hello,
I am seeing a "application error disclosure" vulnerability reported by ZAP, with the evidence of "HTTP/1.1 500 Internal Server Error".
Is it the HTTP 1.1 that is the problem? I know I can update my nginx to use HTTP 2, but don't know how to hide that specific version. Am I along the right lines or is it a false positive?
thanks,
thc...@gmail.com
Apr 6, 2017, 5:27:50 AM4/6/17
to zaprox...@googlegroups.com
Hi.
That's reported because of the status code 500. [1][2]
Usually that's not a good sign, the web application should handle the
errors gracefully.
[1]
https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules#application-errors
[2] https://tools.ietf.org/html/rfc7231#section-6.6.1
Best regards.
That's reported because of the status code 500. [1][2]
Usually that's not a good sign, the web application should handle the
errors gracefully.
[1]
https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules#application-errors
[2] https://tools.ietf.org/html/rfc7231#section-6.6.1
Best regards.
kingthorin+owaspzap
Apr 6, 2017, 5:30:41 AM4/6/17
to OWASP ZAP User Group
No its that your app generated a 500 Internal Server error. You should review the associated request and ensure the condition is handled gracefully.
Green
Apr 6, 2017, 6:17:49 AM4/6/17
to OWASP ZAP User Group
Oh I see now, my apologies. Thank you for the help.
Green
Apr 6, 2017, 6:53:02 AM4/6/17
to OWASP ZAP User Group
Sorry can I ask, I've just had a look at the response and the rest API does give produce an error: {description":"Invalid File","summary":"error"}, but the response is a 500 internal server error.
In this case, I guess it the server response should be 200, is that correct way to handle it? 200 with an error message in the body?
On Thursday, April 6, 2017 at 10:11:53 AM UTC+1, Green wrote:
kingthorin+owaspzap
Apr 6, 2017, 8:03:13 AM4/6/17
to OWASP ZAP User Group
So two things here.
1) The JSON you posted is invalid which might be an issue (missing quote).
2) If you're testing an API an error response might be a valid or planned for condition, we can't really say one way or another, someone more familiar with the app would have to say. Is the "Invalid File" a handled condition or an oversight?
1) The JSON you posted is invalid which might be an issue (missing quote).
2) If you're testing an API an error response might be a valid or planned for condition, we can't really say one way or another, someone more familiar with the app would have to say. Is the "Invalid File" a handled condition or an oversight?
JammasterJ
Apr 6, 2017, 10:27:08 AM4/6/17
to OWASP ZAP User Group
Ah sorry yes that's a typo on my end as I didn't copy and paste (it was disabled on the VM).
It's basically requesting a file that doesn't exist, so it should error and the body looks fine to me. From what you said earlier though, it doesn't sound like 500 is the correct response, it should still be a 200 with the error in body like any other request, I think?
kingthorin+owaspzap
Apr 6, 2017, 12:55:48 PM4/6/17
to OWASP ZAP User Group
Well without knowing the specific app and implementation details if it's a "file that doesn't exist", perhaps 404 Not Found would be a more fitting response?
Message has been deleted
Green
Apr 6, 2017, 2:40:14 PM4/6/17
to OWASP ZAP User Group
Good point. I'll try get that fixed. Thank you very much for all of your help! :)
Reply all
Reply to author
Forward
0 new messages