4.8 Testing for Error Handling

Testing for Error Handling

4.8.1 Testing for Improper Error Handling

• Trigger Web Server errors:

  • Search for random files and folders that will not be found (404s).

  • Try to request folders that exist and see the server behavior (403s, blank page, or directory listing).

  • Try sending a request that breaks the HTTP RFC. One example would be to send a very large path, break the headers format, or change the HTTP version.

• Trigger Web Application errors:

  • Identify possible input points where the application is expecting data.

  • Analyse the expected input type (strings, integers, JSON, XML, etc.).

  • Try to inject unexpected data like negative numbers, strings, random values, one extra bracket.

  • Understand the service responding with the error message and try to make a more refined fuzz list to bring out more information or error details from that service (it could be a database, a standalone service, etc.).

Evidence:

​

4.8.2 Testing for Stack Traces

This content has been merged into: Testing for Improper Error Handling.

Evidence:

​