Great Ideas. Always Flowing.

We are not happy until you are happy. Client satisfaction guaranteed. Whatever your needs and requirements, we have the skills and resources for the job!

SnowCovered Top Sellers

Frustrated over the lack of customization for your user's registration fields? Dynamically setup your DNN Portal with custom registration fields, layout, questions, and other core integration options......

Ultra Video Gallery is a brother product of Ultra Media Gallery, UVG allows you to upload videos in various format and automatically encode them to flv or H264 format, you also can add videos from internet or record live videos from your webcam.

Build high performance, completely customizable data-entry forms and views driven by your DNN and external databases. New built-in tools make it a snap to quickly create data entry forms, data views, and even database tables. Plus, add your own HTML, CSS, Javascript, SQL commands, stored procedures,

The most advanced DotNetNuke shopping cart on the planet. Easy to use e-Commerce, Secure Shopping Cart Software and SEO friendly. B2C / B2B Ecommerce Sites.

One stop solution for events calendar and events registration! FREE DOWNLOAD is available now!

Popular Tags

Tags

Secure Programming Tips - Application Error Handling

 

Secure Programming Tips Week 2: Application Error Handling

 

As developers, we become so preoccupied with ensuring our applications work as designed that we often overlook the necessity of unit testing with regard to error handling. For example, if I am passing an ID to another page similar to the example below,

 

http://mysite.com/Details.asp?ID=1

 

I may test this link twenty times to ensure the Details.asp page populates correctly according to the ID value that has been passed. However, I may not even consider testing if the value passed in the ID parameter were something other than a number. After all, a number is what the code expects. So what would happen if we changed the value of the ID parameter from the number 1 to the letter a? Well, if we were doing proper error handling it should error gracefully and the user would be notified that the value supplied was incorrect. On the other hand, if proper error handling wasn’t implemented the user might get the following error:

 

Microsoft VBScript runtime error ‘800a000d’
Type mismatch: ‘[string: “a”]’

 

The primary problem here is we are expecting one type of input, and we aren’t performing proper validation and error handling in the event the type passed is different then what was expected. The above error occurs because the code is expecting a numeric value, but instead receives a string value. The developer wrote the code to expect a number, but didn’t take into consideration the possibility that another type might get passed. Issues like these are easy to remediate. Simply by adding some additional code to validate the type that was passed, such as the code below, the developer could mitigate the risk of the application failing in such an unexpected manner.

 

strValue = Request.Querystring(“ID”)

 

If IsNumeric(strValue) Then

    Call ProcessDetailsPage(strValue)

Else

    Response.Redirect(“ErrorPage.html”)

End If

 

The above code, when implemented, would check to ensure the value passed in the ID parameter met the criterion of being a numeric value. If the validation determined the value was non-numeric, it would then redirect the user to the Error.html page, where a message could be displayed informing the user that the value passed was incorrect.

 

There are occasions where improper error handling can become a major security risk. For instance, assume we pass the letter “a” in the ID parameter as above, but instead of a “Type mismatch” error the user receives the following message:

 

[SQLServer ODBC Driver][SQLServer]Invalid column name ’a’.

 

For those of you who are unfamiliar with it, this type of error message reveals to the user that the application is vulnerable to a SQL injection attack. If this error message were displayed to a malicious user he would have all the information he needs to begin specific targeted attacks against the application. Other types of application error messages that might be used by a malicious user include exposing internal server paths, exposing request headers (i.e. HTTP Referrer, User-Agent, etc.) in the error message, which could be used in an XSS (Cross-Site Scripting) attack or the dump of a stack trace that discloses intimate details about the application’s internal processes.

 

Most languages today are capable of handling errors at the application level. For example, ASP and ASP.NET both contain Application_OnError events within their global.asa and global.asax files, respectively. Below is an example of how global error handling in the global.asax or global.asax.vb file might look in an ASP.NET application.

 

Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)

    Logger.Log(Server.GetLastError())

    Response.Redirect(“ErrorPage.html”)

End Sub

 

When an application error occurs, the above code would log the error to our application log for later analysis. It would then redirect the user to our custom error page, thus preventing the possibility of sending a message to the user that might contain sensitive information, such as one that could inform the user that the application is vulnerable to a specific type of attack. Unfortunately, a lot of developers do not implement proper error handling techniques, but just remember global error handling is your friend, and when implemented properly can be a valuable tool in protecting your application from exposing sensitive information to outsiders.

Thanks, I hope you found this article useful! Please post any comments if you have questions.

 

 

Feedback Comments

Feedback

SharePoint Web Parts


All Data Springs Web Parts Support WSS 3.0, SharePoint 2007, and SharePoint 2010 Frameworks

Please select license option for each web part you wish to purchase. We highly recommend the SharePoint Bundle to get all Data Springs Web Parts for maximum value!

 

 

      
Cart


Data Springs Sharepoint Bundle

Best Value! The Bundle gives you all 5 web parts in one package at a very attractive price! Best Value! We think you will be very happy with the SharePoint bundle and great price discounts you will receive. With your purchase all of the web parts below will be included.
 
 
 
 

Random Image Web Part

With Random Image for Sharepoint 2007, you can select multiple images to display randomly when the web part loads...
 
 
 
 

Stock Quote Web Part

Giving your site visitors relevant information is critical. With the Data Springs Stock Web Part you can provide your users with up to date financial information
 
 
 
 

Dynamic Image Rotator Web Part

Who would have thought? Adobe Flash® with Sharepoint! The FIRST and ONLY image rotation web part for Sharepoint using Flash Technology from Adobe! The Dynamic Image Rotator displays selected images and then rotates between the images. Several extended and optional features allow you to select the time to rotate each image, fade between
 
 
 
 

SharePoint Charts Web Part

The MOSS Chart Web Part is a web part built by Data Springs for the purpose of rendering several chart types based on data from a SharePoint list on a MOSS 2007 or WSS 3.0 Site
 
 
 
 

Dynamic News Ticker Web Part

Provide current news items with a user-friendly news ticker for your Sharepoint Portal. With millions of web sites offering information you need a fun way to display information and the solution is Flash News Ticker....
 
 
 
 

Tailored Text Web Part

 Tailored Text Web Part allows you to add text/html to your web site that can be different for anonymous users, registered users,  and even individual users specifically.

 
 
 
 

Dynamic Views Web Part

Dynamic Views is an excellent tool to:
Personalization allows you to go the extra mile in communicating or connecting one to one with your clients. When it comes to technology and web site content, you now have the power to leverage this personalization directly with your users on your DotNetNuke® site

 
 
 
 

Dynamic Login Web Part

Your site content isn't vanilla, so why is your portal's login?

Add pizazz and functionality with Dynamic Login! Use custom templates, localization, redirection rules for various roles and many more features!
 
 
 
 


 
 

Join our mailing list...

Get current news and events the easy way
 
 
   
Subscribe Me

Recent Blogs...

 
Copyright 2005 - 2011 by Data Springs, Inc.