Many web applications return informative error messages when unexpected events occur. These may range from simple built-in messages that disclose only the category of the error to full-blown debugging information that gives away a lot of details aboutthe application's state.
Most applications are subject to various kinds of usability testing prior to deployment. Thistesting typically identifies most error conditions that may arise when the application is being used in the normal way. Therefore, these conditions usually are handled in a graceful manner that does not involve any technical messages beingreturned to the user. However, when an application is under active attack, it is likely that a much wider range of error conditions will arise, which may result in more detailed information beingreturned to the user. Even the most security-critical applications, such as those used by online banks, have been found to return highly verbose debugging output when a sufficiently unusual error condition is generated.
When an error arises in an interpreted web scripting language, such as VBScript, the application typically returns a simple message disclosing the nature of the error, and possibly the linenumber of the file where the error occurred. For example:
Microsoft VBScript runtime error 800a0009 Subscript out of range: [number −1] /register.asp, line 821
This kind of message typically does not contain any sensitive information about ...