CWE-7: J2EE Misconfiguration: Missing Custom Error Page
ID
CWE-7
Abstraction
Variant
Structure
Simple
Status
Incomplete
The default error page of a web application should not display sensitive information about the product.
A Web application must define a default error page for 4xx errors (e.g. 404), 5xx (e.g. 500) errors and catch java.lang.Throwable exceptions to prevent attackers from mining information from the application container's built-in error response.
When an attacker explores a web site looking for vulnerabilities, the amount of information that the site provides is crucial to the eventual success or failure of any attempted attacks.
Modes of Introduction
Phase | Note |
---|---|
Implementation |
Applicable Platforms
Type | Class | Name | Prevalence |
---|---|---|---|
Language | Java |
Loading...