STORY
Your API error messages can be more dangerous that what you think
AUTHOR
MtgMtg
Joined 2022.06.04
DATE
VOTES
sats
COMMENTS

Your API error messages can be more dangerous that what you think

So you are building some public API, & this API connects to some Database or a lightning node

And as any good developer, you wrap your logic/validation/DB-access/LND-access code with a try-catch block.

& inside the catch block, you are returning the caught error in the response so that it's easier to debug later from the client side

However, doing that will most likely increase the chances of hacking your API...

But why is that you ask??

That's because of 2 reasons:

1- The error object logs usually exposes a lot of info about your code structure (through the stack trace) & DB schema, which usually should be kept hidden.

So using that, an attacker can keep trying different requests' shapes & approaches, until he is able to find some unhandled edge case in your code that allows him to do something he isn't supposed to do...

2- Logging the entire error object can show unexpected/unpredictable info.

Did you know that some DB drivers would log the database connection string when they fail to connect... 😲

Or maybe a failed request to some 3rd party API will log the headers used which contain some secret keys...

So if the attacker were to learn that you are using the DB driver "X" which he previously knows that it logs the connection string on connection failure, then he would for example try to make too many requests to try & cause your DB connections limit to max out & fail the connection, then he searches the error messages to find your DB connection string, & just like that, he got in...

So what is the solution??

It's simple. When you catch an error in your API, then you can store the logs to some server log files or send them to a 3rd party logging service for debugging, but when you want to return something to the client, then you should just return a simple custom message.

If you know the error's reason, then you can return the reason (ie. "Payment fee is not enough"). If not, then just return a simple message like "Something unexpected happened while processing your payment, please try again later".

I know it doesn't look very nice & useful, but nor does an error stack trace (to the normal user at least), so it's good enough.