ASP.NET - Hacking the yellow screen of death

Question

In some of my books that I've read, it is stated that it is good to hide yellow screens of death (obviously), but not only for the reason in that it is quite informal to users, but also because hackers can use the information to hack your website.

My question is this. How can a hacker use this information? How does a call stack of basic operations of the .NET call stack help hackers?

I attached a yellow screen of death that I encountered on one of the websites that I created a long time ago and it sparked my interest. (The error is that it fails when attempting to cast a query string parameter to an int. Yea, I know its bad code, I wrote it many years ago ;)

Answer 1

If you're writing secure code, the YSOD shouldn't provide a hacker with the ability to hack your application. If however, your code is insecure, then the YSOD could provide the attacker with essential information to allow them to carry out their attack.

Say, for example, you have written your own forum software. You have put in lots of validation for when the user writes posts to prevent XSS attacks and such, but your validation is faulty. If a hacker can bring up the YSOD when they make a post, the stack trace shown could potentially show them the cracks in your validation and exploit them to create XSS attacks or obtain member details or passwords and such.

The YSOD on it's own is no threat, but to a hacker, it can be a very useful way of finding flaws in your application's security.

Answer 2

There are several different ways this could compromise your application... but most of them would only make it easier for an attack... the vulnerability would probably already have to be there. For example, you could easily reveal a hard-coded password or salt, or reveal a line of code accepting user input without properly sterilizing it.

Answer 3

As mentioned by others YSOD itself is not necessarily always helpful to hacker but assume on your Line 13: in your code above you had your hard-coded Connection string or an inline sql query.

I now know from your YSOD that the "id" meant in your querysting is actually artId and not any randorm id number which may be of some use to hacker.

Also if hacker was able to get more than one different YSOD, it might reveal more info as a whole and sufficient enough to damage your app.

Sometime back MS reported a security vulnerability with ASP.NET where the workaround provided was to enable CustomErrors and hide from user the error-code and any paricular error related detail.

Answer 4

One thing that hasn't been mentioned yet is that an attacker would now have good reason to believe that you're using a MySql database (which they wouldn't be likely to guess about an ASP.NET app otherwise), helping them to narrow the range of potential attacks. No sense in making their job easier than it has to be.