[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

J2EE Misconfiguration: Missing Custom Error Page

ID: 7Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: INCOMPLETE
Abstraction Type: Variant





Description

The default error page of a web application should not display sensitive information about the software system.

Extended Description

A Web application must define a default error page for 4xx errors (e.g. 404), 5xx (e.g. 500) errors and catch java.lang.Throwable exceptions to prevent attackers from mining information from the application container's built-in error response.

Applicable Platforms
Language: Java

Time Of Introduction

  • Architecture and Design
  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
 
Read application data
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 Handle exceptions appropriately in source code.
 
  
Implementation
System Configuration
 
 Always define appropriate error pages.
 
  
Implementation
 
 Do not attempt to process an error or attempt to mask it.
 
  
Implementation
 
 Verify return values are correct and do not supply sensitive information about the system.
 
  

Relationships

Related CWETypeViewChain
CWE-7 ChildOf CWE-895 Category CWE-888  

Demonstrative Examples   (Details)

  1. In the snippet below, an unchecked runtime exception thrown from within the try block may cause the container to display its default error page (which may contain a full stack trace, among other things). (Demonstrative Example Id DX-76)

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
7 Pernicious Kingdoms  J2EE Misconfiguration: Missing Error Handling
 
 

References:

  1. M. Howard D. LeBlanc J. Viega .19 Deadly Sins of Software Security. McGraw-Hill/Osborne. Published on 2005.

© 2013 SecPod Technologies