Building an error reporting facility into your web
applications can be beneficial when improving site security. It also has the
added benefit of being able to notify the web developer as soon as bugs arise,
enabling problems to be fixed and the web application made more robust. If the
error reporting makes use of e-mail to send the errors, then the application
will benefit from a near real time reporting system of errors and suspicious
website activity.
An error reporting e-mailing function for classic ASP was
described in this ASPAlliance article: http://aspalliance.com/brettb/ErrorReportEmailer.asp.
Error handling in ASP.NET is much improved. There is an Application_Error
subroutine in the Global.asax that is called whenever an error is encountered
within an ASP.NET page within the web application. There is also a Page_Error
even that is called should there be an error on an individual page. ASP.NET
also offers improved tracing of errors, such as the ability to view the line
number that raised the error (an application must be compiled in Debug mode in
order for line numbers to be present in error reports).
Once the error reporting e-mail function has been
incorporated into the website, the e-mails can then be monitored in order to
detect security issues. Depending on the way the application was coded, failed
login attempts, attempted SQL injection attacks or other suspicious activity
will often cause error reports to be generated.
Note that if the web application has a high level of
traffic, it is advisable to build in a limit to the number of e-mail error
reports that are sent in a specified time period. A variable within the ASP
Application object can be used to keep a count of the number of e-mails sent in
a specific time period.