Sunday, July 13, 2014

Configure Generic Error codes for Verbose error message

Some Apache Tomcat instances were configured to display verbose error messages. The error messages contains technical details such as stack traces. As error messages tend to be unpredictable, other sensitive details may end up being disclosed.

As impact on system, Attackers may fingerprint the server based on the information disclosed in error messages. Alternatively, attackers may attempt to trigger specific error messages to obtain technical information about the server.

To avoid above situation, it is possible to configure the server to display generic, non-detailed error messages in the Apache Tomcat.


Declare proper in web.xml wherein it is possible to specify the page which should be displayed on a certain Throwable/Expection/Error or a HTTP status code.

Examples

<error-page>
    <exception-type>java.lang.Exception</exception-type>
    <location>/errorPages/errorPageForException.jsp</location>
</error-page>


which will display the error page on any subclass of the java.lang.Exception.


<error-page>
    <error-code>404</error-code>
    <location>/errorPages/errorPageFor404.jsp</location>
</error-page>


which will display the error page on a HTTP 404 error and it is possible to specify the error codes.

<error-page>

  <exception-type>java.lang.Throwable</exception-type>
  <location>/errorpages/errorPageForThrowable.jsp</location>
</error-page>


which will display the error page on any subclass of the java.lang.Throwable.