Exception Handling & The Bigger Picture [ELI5 PLS]

[Guest]

So I know that exception handling is used to detect errors, handle them and allow the program to continue running.

 

My question is that: If exceptions weren't handled properly, does it make it easier to hack/exploit a program. I know that hackers use a method called 'fuzzing' to overload something and see if program crashes. Is exception handling related to this or is reverse engineering something totally out of our leagues?

 

TLDR: How does exception handling relate to reverse engineering and making bug free software?

[Zappster]

Depends on the function....

If I'm making a site, when it's in debug mode I'll display exceptions on the website. If it's going live, I'll log the exceptions to a file.                  

But even then it doesn't help, take this PHP code as an example:

<?php
$mysqli = mysqli_connect('localhost','username','password','database');          
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}


function selectUserByID($id){
	global $mysqli;
	
	$query = "SELECT * FROM users WHERE id = $id";
	if ($result = mysqli_query($mysqli, $query)) {
 	   while ($row =  mysqli_fetch_assoc($result)) 
     		  return $row;
  	}else{
		//Query failed exception here
		return null;
		printf("Error: %s\n", mysqli_error($mysqli));
	}
}
?>

 

Now, let's say we are gunna send a GET value to selectUserByID() and then output the full results

<?php
require_once("mysqli.php");
if(isset($_GET['id'])){
	$user = selectUserByID($_GET['id']);
	if($user != null){
		$keys = array_keys($user);
		foreach($keys as $key){
			echo $user[$key].'</br>';
		}
	}
}

?>

 

Looks fine? Right? Well, wrong. This is open to MySQL injection. Passing a ' to it will trigger the " printf("Error: %s\n", mysqli_error($mysqli)); " in our mysqli page. This let's us know that the page is open to injection. Even if we commented out the stuff that shows the error, it would be obvious (since the output data will be messed).

The attack can then inject malicous mysql queries via the GET. The mysqli will execute the query and because it was executed successfuly, the exception is never triggered

A fix to the above function would be to add "$id = mysqli_real_escape_string($mysqli,$id);" Or better yet, switch too PDO/Mysqli via Objects.          

So whilst exceptions can allow us to log/display errors and keep the page running, it doesn't stop this example. If you don't want to get hacked, you need to write good code and to never trust the user.

Edited May 19, 2017 by Zappster

[Final]

43 minutes ago, Zappster said:

Depends on the function....

If I'm making a site, when it's in debug mode I'll display exceptions on the website. If it's going live, I'll log the exceptions to a file.                  

But even then it doesn't help, take this PHP code as an example:

<?php
$mysqli = mysqli_connect('localhost','username','password','database');          
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}


function selectUserByID($id){
	global $mysqli;
	
	$query = "SELECT * FROM users WHERE id = $id";
	if ($result = mysqli_query($mysqli, $query)) {
 	   while ($row =  mysqli_fetch_assoc($result)) {
     		  return $row;
  	}else{
		//Query failed exception here
		return null;
		printf("Error: %s\n", mysqli_error($mysqli));
	}
}
?>

 

Now, let's say we are gunna send a GET value to selectUserByID() and then output the full results

<?php
require_once("mysqli.php");
if(isset($_GET['id'])){
	$user = selectUserByID($_GET['id']);
	if($user != null){
		$keys = array_keys($user);
		foreach($keys as $key){
			echo $user[$key].'</br>';
		}
	}
}

?>

 

Looks fine? Right? Well, wrong. This is open to MySQL injection. Passing a ' to it will trigger the " printf("Error: %s\n", mysqli_error($mysqli)); " in our mysqli page. This let's us know that the page is open to injection. Even if we commented out the stuff that shows the error, it would be obvious (since the output data will be messed).

The attack can then inject malicous mysql queries via the GET. The mysqli will execute the query and because it was executed successfuly, the exception is never triggered

A fix to the above function would be to add "$id = mysqli_real_escape_string($mysqli,$data);" Or better yet, switch too PDO/Mysqli via Objects.          

So whilst exceptions can allow us to log/display errors and keep the page running, it doesn't stop this example. If you don't want to get hacked, you need to write good code and to never trust the user.

... I've never known a five year old which has learnt PHP.

Exception handling adds robustness to your solution. It means that you can account for x and ensure the program does y, similar to how you'd use 'if' conditions in a script. It's a way to know that the program will handle anything you throw at it. Exceptions are an easy way to identify if something goes wrong and a easy/lazy way of solving the issue.

The security issue lies when the solution is programmed to display exception details such as a stacktrace with the user, this allows for users to get knowledge about the program and it's potential vulnerabilities.

Exceptions in almost every case will not lead to a security threat, the only time it will, is with improper usage of exception handling.

Edited May 18, 2017 by Final