CWE-7: J2EE Misconfiguration: Missing Custom Error Page
Learn about CWE-7 (J2EE Misconfiguration: Missing Custom Error Page), its security impact, exploitation methods, and prevention guidelines.
What is J2EE Misconfiguration: Missing Custom Error Page?
• Overview: J2EE Misconfiguration: Missing Custom Error Page is a vulnerability where a web application lacks a custom error page, exposing sensitive information when errors occur.
• Exploitation Methods:
- Attackers can exploit this vulnerability by intentionally triggering errors to view default error pages.
- Common attack patterns include probing for non-existent resources or causing exceptions to reveal stack traces or configuration details.
• Security Impact:
- Direct consequences include exposure of sensitive information such as server details, application stack, or code paths.
- Potential cascading effects include easier discovery of other vulnerabilities due to leaked information.
- Business impact may involve unauthorized access, data breaches, and loss of customer trust.
• Prevention Guidelines:
- Specific code-level fixes include configuring web.xml to define custom error pages for HTTP error codes and exceptions.
- Security best practices involve regularly reviewing and testing error handling mechanisms for information leaks.
- Recommended tools and frameworks include using security-focused libraries and application servers that support customizable error handling.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Java
Affected Technologies: Not specified
Vulnerable Code Example
Java Example: J2EE Misconfiguration: Missing Custom Error Page
// Vulnerable code: Default error pages are not defined, which can expose server details
<web-app>
<!-- Other configurations -->
<!-- Missing custom error page configuration -->
</web-app>
Explanation:
- Exposure Risk: Without custom error pages, the server may display default error pages that reveal sensitive information, such as server version details or stack traces. This can be exploited by attackers to gain insights into potential vulnerabilities.
How to fix J2EE Misconfiguration: Missing Custom Error Page?
To fix this vulnerability, define custom error pages in your web.xml file. Custom error pages should be user-friendly, provide minimal technical details, and offer guidance on what the user can do next. This prevents the default server error pages from displaying sensitive information.
Best Practices:
- Define Specific Error Pages: Configure custom pages for common HTTP error codes (e.g., 404, 500).
- Generic Error Handling: Provide a generic error page for unexpected errors.
- Minimal Information: Avoid displaying stack traces or server information.
- User Guidance: Direct users to contact support or return to the homepage.
Fixed Code Example
// Fixed code: Custom error pages are defined for specific error codes and generic errors
<web-app>
<!-- Other configurations -->
<!-- Custom error page for 404 Not Found -->
<error-page>
<error-code>404</error-code>
<location>/error-404.html</location>
</error-page>
<!-- Custom error page for 500 Internal Server Error -->
<error-page>
<error-code>500</error-code>
<location>/error-500.html</location>
</error-page>
<!-- Generic error page for other unhandled errors -->
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/error-generic.html</location>
</error-page>
</web-app>
Explanation:
- Specific Error Handling: Specific error codes such as 404 and 500 are handled with custom HTML pages, preventing exposure of sensitive server details.
- Generic Error Handling: The use of
java.lang.Throwableensures that all other exceptions are redirected to a generic error page, enhancing security by not exposing stack traces. - User-Friendly Pages: The custom error pages (
error-404.html,error-500.html,error-generic.html) should be designed to inform users without revealing sensitive server information, and should provide helpful guidance to the user.