J2EE Misconfiguration: Missing Custom Error PageID: 7 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Variant |
Description
The default error page of a web application should not display
sensitive information about the software system.
Extended DescriptionA Web application must define a default error page for 4xx errors (e.g.
404), 5xx (e.g. 500) errors and catch java.lang.Throwable exceptions to
prevent attackers from mining information from the application container's
built-in error response.
Applicable PlatformsLanguage: Java
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
Scope | Technical Impact | Notes |
---|
Confidentiality | Read application
data | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | Handle exceptions appropriately in source code. | | |
ImplementationSystem Configuration | | Always define appropriate error pages. | | |
Implementation | | Do not attempt to process an error or attempt to mask it. | | |
Implementation | | Verify return values are correct and do not supply sensitive
information about the system. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-7 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the snippet below, an unchecked runtime exception thrown from
within the try block may cause the container to display its default error
page (which may contain a full stack trace, among other
things). (Demonstrative Example Id DX-76)
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
7 Pernicious Kingdoms | | J2EE Misconfiguration: Missing Error
Handling | |
References:
- M. Howard D. LeBlanc J. Viega .19 Deadly Sins of Software Security. McGraw-Hill/Osborne. Published on 2005.