Improved Detection of Unhandled Errors in WAS engine 4.4

Document created by Dave Ferguson Employee on Oct 24, 2017
Version 1Show Document
  • View in full screen mode

One of the recent changes in WAS scanning engine 4.4 is improved detections for unhandled errors and exceptions.  As a result of this change, you may see an increased number of findings for QID 150022 - "Verbose Error Message" for some web apps.  Note this QID was called "Syntax Error Occurred" prior to 4.4.


The previous approach for identifying unhandled errors and exceptions was prone to false negatives in some cases.  Via pattern matching on returned text, the scanner performs checks for different types of errors that may be present in the response from the server.  This occurred during vulnerability testing phases only.  The checks were not performed during crawl/discovery phase because errors typically happen during testing, not crawling.  Furthermore, it was found that false positives could happen due to legitimate text on crawled pages that appeared to be an error.  This often occurred when scanning things like technical Wikis, bug tracking systems, programming-related sites, etc. 


The improvement made in 4.4 is that the check for errors is now performed in the crawl/discovery phase of the scan as well as the testing phase.  The issue of false positives has been avoided because the QID is reported only if error text is identified AND the response code is 500 (internal server error).  The primary benefit of the change is fewer false negatives for QID 150022.


Fewer false negatives for QID 150056 (SQL Error Message Detected) and QID 150003 (SQL Injection) are also expected as part of these changes.

2 people found this helpful