Questions tagged [error-handling]
Error handling, or exception handling, is the process in application development in which errors are caught and handled at runtime rather than allowing the errors to crash the application.
41 questions
3votes
1answer
3kviews
Is this database exploitable?
I'm starting out as a bug bounty hunter and found a website that might have a problem yet I'm unsure if its exploitable or not. When sending any payload that contains % I get an error: Invalid query ...
2votes
2answers
392views
Should an HTTP error 500 triggered by an XSS payload be reported as a potential vulnerability?
So, long story short, I was using an automated vulnerability scanner on a website (bounty hunting is allowed and encouraged,) and it works by injecting payloads in forms and URLs etc., to trigger ...
- 4,735
0votes
1answer
116views
What's wrong with toggling detailed IIS errors for production?
What is the danger of setting IIS errorMode to detailed in webconfig? It helps me marginally with sanity checks on production, but it seems like it wouldn't really help a bad actor much. I'd like to ...
2votes
2answers
249views
Error code prefixes specific to specific micro services a vulnerability?
If your microservice architecture responds with error codes revealing which microservice had an error, doesn’t this reveal to the caller information on how your microservice architecture is designed? ...
- 121
0votes
1answer
117views
Error message when logging in with valid credentials while registration not complete
I have a registration login process which includes a one-time activation link sent via email when the user registers. When the user clicks the link the account get's activated. Now what error message ...
2votes
1answer
353views
Credit card form : Is it neccessary to obscure error messages?
I'm working on designing a credit card payment form whose core functionality is provided by a payment processing company ("upstream"). Upon some transaction errors the upstream returns the ...
1vote
1answer
915views
API Returning Java Exception. Safe?
I just wanted to ask if my concerns here are valid. I am aware that it is unsafe for the API to return a stack trace. I have a similar, but less egregious, situation that I am trying to judge. Is ...
- 113
4votes
3answers
2kviews
Pros/Cons for showing a user how many failed login attempts they have remaining before getting blocked?
For context, my web app will be used by users who don't have a strong technical background. What are the pros or cons for displaying a message like this? Something like:
- 63
0votes
2answers
168views
Is there a problem with this approach to handling invalid web probes?
Like any other website owner, I get frequent probes for vulnerabilities e.g. .php .sql or .gz pages. These used to appear in my log files as 404 responses (we host on ASP.NET Core). These also take ...
- 101
1vote
0answers
2kviews
XSS Bruteforcing results in 500 internal server error
I've been trying to trigger xss in a website with the following url https://website.com/login/error?username_or_email=xyz%40gmai.com&redirect_after_login=%2wall While trying different payloads ...
0votes
0answers
269views
Does Asp.Net Core exposes too much information for required enums that were not supplied?
I have a simple code for an input model: public class MyClass { [Required] public MyEnum? Type { get; set; } } Now if I do not send Type as a part of json to the request, I get this error from ...
- 2,317
0votes
1answer
164views
Secure error messages from public API
We are writing our first public API. Now I remember hearing in the past that you shouldn't give users useful error messages, that allows hackers to learn what your data is. so if the get is { ...
- 101
39votes
7answers
15kviews
Is it a security vulnerability to tell a user what input characters are valid/invalid?
For input validation on a website, are there any security concerns with disclosing to the user exactly what characters are valid or invalid for a given field? CWE-200: Information Exposure says one ...
- 487
3votes
1answer
207views
Leak multiple lines from file
I am researching this bug here, where the first line of an arbitrary file can be leaked by triggering a SyntaxError using the compile() function. Is there a method of leaking the rest of the file, ...
- 511
0votes
2answers
618views
Pickle Shellcode Import Error
I'm trying to execute pickle shell-code through a download function on a website but I get the following error: <html> <h1>ERROR: Cannot load file</h1> <!-- Traceback (most ...
- 1
