Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET - Hacking the yellow screen of death

In some of my books that I've read, it is stated that it is good to hide yellow screens of death (obviously), but not only for the reason in that it is quite informal to users, but also because hackers can use the information to hack your website.

My question is this. How can a hacker use this information? How does a call stack of basic operations of the .NET call stack help hackers?

I attached a yellow screen of death that I encountered on one of the websites that I created a long time ago and it sparked my interest. (The error is that it fails when attempting to cast a query string parameter to an int. Yea, I know its bad code, I wrote it many years ago ;)

enter image description here

like image 981
contactmatt Avatar asked Mar 26 '11 15:03

contactmatt


1 Answers

If you're writing secure code, the YSOD shouldn't provide a hacker with the ability to hack your application. If however, your code is insecure, then the YSOD could provide the attacker with essential information to allow them to carry out their attack.

Say, for example, you have written your own forum software. You have put in lots of validation for when the user writes posts to prevent XSS attacks and such, but your validation is faulty. If a hacker can bring up the YSOD when they make a post, the stack trace shown could potentially show them the cracks in your validation and exploit them to create XSS attacks or obtain member details or passwords and such.

The YSOD on it's own is no threat, but to a hacker, it can be a very useful way of finding flaws in your application's security.

like image 94
Karl Nicoll Avatar answered Nov 13 '22 19:11

Karl Nicoll