Custom Error Pages Are Not Configured in WEB-INF/web.xml

Severity:

Medium

Summary

Invicti detected that the web application displays detailed error messages that disclose the server version and detailed stack trace information.

It's recommended to modify the configuration file WEB-INF/web.xml to display custom error pages, preventing the information leakage.

Impact

The detailed error messages contain potentially sensitive information that might help an attacker to conduct further attacks.

Remediation

Required Skills for Successful Exploitation

Actions To Take

Using the following configuration an error page will be displayed whenever the application responds with an HTTP 500 error. You can add additional entries for other HTTP status codes as well:

<error-page>
<error-code>500</error-code>
<location>/path/to/error.jsp</location>
</error-page>

Classifications

CWE-16

OWASP 2013-A5

OWASP 2017-A6

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Vulnerability Index

You can search and find all vulnerabilities

Select Category

Select Vulnerability

Related Vulnerabilities

Insecure Reflected Content

Version Disclosure (Hiawatha)

Insecure JSONP Endpoint

GraphQL Library Detected (Hasura)

An Unsafe Content Security Policy (CSP) Directive in Use

Custom Error Pages Are Not Configured in WEB-INF/web.xml

Vulnerability Index

Select Category

Select Vulnerability

Featured resources

Build your resistance to threats. And save hundreds of hours each month.