Error codes revealed during testing can provide attackers with information about an application such as the databases and bugs. While often seen as non-security issues, error codes should be customized or removed to avoid disclosing sensitive details that could aid attackers. Standard error messages can reveal server configurations, databases in use, and other details that make applications more vulnerable.

3. • Error Codes are very common during Web
Application Security tests
• Often seen as a non-security issue
• Easy to remediate

4. • Error Codes can unveil a lot of information
regarding an Application to an attacker
• This includes:
– Databases
– Bugs
– Server Config

5. – Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[MySQL][ODBC 3.51 Driver]Unknown MySQL server
– Microsoft OLE DB Provider for ODBC Drivers error
'80004005' [Microsoft][ODBC Access 97 ODBC driver
Driver]General error Unable to open registry key 'DriverId‘
– Not Found The requested URL /page.html was not found
on this server. Apache/2.2.3 (Unix) mod_ssl/2.2.3
OpenSSL/0.9.7g DAV/2 PHP/5.1.2 Server at localhost Port
80

6. • If a user requests a dynamic resource that
does not exist (for example, an ASPX file), then
the user sees the default server error message
generated by ASP.NET for HTTP 404 errors:

7. • If an unhandled exception occurs in the
application, then the user sees the default
server error message generated by ASP.NET
for HTTP 500 errors:

8. • ASP.NET web application developers call these
the "
"(
)
• Similar to this traffic light, Users and
Developers are unaware of the risk these
errors can have

9. • Add error pages for 404 and 500 error codes
from within the application configuration file
(web.config)
• This instruct IIS to use the specified custom
pages for these error codes