Custom Error Pages Are Not Configured in WEB-INF/web.xml
Description
This Java web application is not configured to use custom error pages in its WEB-INF/web.xml deployment descriptor. When errors occur, the application displays default error pages that expose sensitive technical information including server version details, application framework information, and complete stack traces. This information disclosure occurs because no custom error-page mappings have been defined to intercept and handle HTTP error responses.
Remediation
Configure custom error pages in the WEB-INF/web.xml file to prevent information leakage when errors occur. Follow these steps:
1. Create user-friendly error pages (e.g., error.jsp, 404.jsp) that display generic error messages without technical details.
2. Add error-page mappings to your web.xml file for common HTTP error codes and Java exceptions.
3. Ensure error pages do not include stack traces or server information in production environments.
Example configuration for web.xml:
<!-- Handle specific HTTP error codes --> <error-page> <error-code>404</error-code> <location>/errors/404.jsp</location> </error-page> <error-page> <error-code>500</error-code> <location>/errors/500.jsp</location> </error-page> <!-- Handle Java exceptions --> <error-page> <exception-type>java.lang.Exception</exception-type> <location>/errors/general-error.jsp</location> </error-page>
Additionally, ensure that detailed error logging is configured server-side for debugging purposes while only generic messages are displayed to end users.