Uploaded image for project: 'Livy'
  1. Livy
  2. LIVY-895

Livy service improper error handling

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 0.7.0
    • 0.9.0
    • API
    • None

    Description

      Affected API: POST /sessions

      Description: Application does not handle exceptions properly. When some junk character is supplied to the parameter, it causes exception and server responds with response code 500 which should not be visible to end user. It was observed that throughout the applications and APIs in scope, JSON parsers, XML parsers and the application server throws exceptions and stack traces in several cases.

      Risk:

      If an attacker probes the application by forging a request that contains parameters or parameter values other than the ones expected by the application, the application may enter an undefined state that makes it vulnerable to attack. The attacker can gain useful 
      information from the application's response to this request, which information may be exploited to locate application weaknesses.

      Fix:
      Check incoming requests for the presence of all expected parameters and values. When a parameter is missing, issue a proper error message or use default values. The application should verify that its input consists of valid characters (after decoding). For example, an input value containing the null byte (encoded as %00), apostrophe, quotes, etc. should be rejected. Enforce values in their expected ranges and types.

      Evidence:
      In the attachment

       

      Attachments

        1. livy 500 sever error.rtf
          2 kB
          Evelyn Liang

        Activity

          People

            Unassigned Unassigned
            evelyn.yuliang Evelyn Liang
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: