My Pentest Log -17 - (Stack Trace in ASP.NET)
Greetings from Perama to all,
Today, I would like to inform you about the vulnerability, from which I could learn some details about the smtp of the target application, through the non-customized error page.
1. Necessary information was given by our project manager that I will perform security tests on “private.com”.
2. As always, I first verified the scope form and rolled up my sleeves for the necessary safety tests.
3. First of all, I started the recon stages on the target application, first of all, I tried to determine which programming language the application was written in, as always. I have shared the reason for this in my previous articles, those of you who are curious can take a look.
4. I discovered that the target application was built with “ASP.NET”. (Bofff)
5. Being an application “asp.net” has both advantages and disadvantages, and the disadvantage always outweighs the advantage, but this time luck was on my side and there was an issue where I had an advantage.
6. Since the developer did not take the necessary stack trace measures on the application, I could easily obtain sensitive information about the application through the relevant error page by making the application return an error page with various inputs.
So what is Stack Trace Disclosure and why is it important for asp.net?
To summarize, Stack Trace Disclosure is a security vulnerability that occurs when an application adds various sensitive or non-sensitive information to error messages and presents these error messages in detail to the user’s screen. Sometimes it contains information about the web server of the application, sometimes it contains code blocks of the relevant application, and sometimes the sql queries of the application, user names, etc. printouts containing sensitive information may be encountered.
So, is this vulnerability only valid for ASP?
It is not only valid for ASP, there are stack trace problems in many programming languages, but if the relevant hardening studies are not fully performed in ASP applications, it is possible to encounter error pages where more sensitive data will be disclosed compared to other programming languages.
There are certain methods for the solution, but in general, you can direct all error pages to a page you specify via the “web.config” file.
In addition :
You can check out the article written by Scott in detail:
https://weblogs.asp.net/scottgu/important-asp-net-security-vulnerability
7. From here, after determining that the necessary stack trace configurations were not made on the application related to the movement, I focused on the pages where sensitive information could be found and went directly to the form on the “contact” page.
8. I tried to return an error page by entering various special characters in the inputs on the form and I was successful.
9. Thanks to the special characters I entered in the inputs on the form, I was able to view various sensitive information about the application’s SMTP and some of the code blocks.
10. And at the end of the day, I was able to obtain information about smtp through the error message on the application.
In summary:
By carefully reviewing the input points during practice tests, you can achieve satisfactory results at the end of the day.