Geek Answers Handbook

ASP.NET - hack the yellow screen of death

Some of my books that I read say it’s good to hide the yellow screens of death (obviously), but not only because they are pretty informal for users, but also because hackers can use the information to hack your site.

My question is that. How can a hacker use this information? How does the .NET call stack stack call stack help hackers?

I attached a yellow screen of death, which I met on one of the sites that I created a long time ago, and this aroused my interest. (The error is that it does not work when trying to apply the query string parameter to int. Yes, I know its bad code, I wrote it many years ago;)

enter image description here

+7
source share
4 answers

If you write secure code, YSOD should not provide an opportunity for a hacker to crack your application. If, however, your code is unsafe, YSOD can provide the attacker with the necessary information to allow them to carry out their attack.

Say, for example, you wrote your own forum software. You checked a lot when the user writes messages to prevent XSS attacks, etc., but your check is wrong. If a hacker can call YSOD when they make a message, the specified stack trace can potentially show them cracks in your scan and use them to create XSS attacks or get member details or passwords, etc.

YSOD is not a threat in itself, but it can be a very useful way for a hacker to detect flaws in your application security.

+3
source

There are several different ways to compromise your application ... but most of them will ease the attack ... the vulnerability should probably already be there. For example, you can easily detect a hard password or salt, or program a line of code that enters user input without proper sterilization.

+2
source

As already mentioned, YSOD itself is not always useful to a hacker, but suppose on your line 13: in your code above, you had a hard-coded Connection string or an embedded SQL query.

Now I know from your YSOD that the "id", meaning in your querysting, is actually an artId, not a randorm identification number, which can be useful to a hacker.

In addition, if a hacker manages to get more than one other YSOD, he can display more information in general and enough to damage your application.

Once upon a time, MS reported a security vulnerability with ASP.NET , where a workaround was included to enable CustomErrors and hide the error code and any detailed error associated with the details from the user.

+1
source

One thing that has not been mentioned yet is that the attacker now has every reason to believe that you are using the MySql database (which otherwise they would hardly have guessed about the ASP.NET application) helping them narrow down the range of potential attacks . There is no point in making your work easier than it should be.

0
source

More articles:


All Articles