CWE-7 J2EE误配置：缺少定制错误页面

J2EE Misconfiguration: Missing Custom Error Page

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown

基本描述

The default error page of a web application should not display sensitive information about the software system.

扩展描述

A Web application must define a default error page for 4xx errors (e.g. 404), 5xx (e.g. 500) errors and catch java.lang.Throwable exceptions to prevent attackers from mining information from the application container's built-in error response.

When an attacker explores a web site looking for vulnerabilities, the amount of information that the site provides is crucial to the eventual success or failure of any attempted attacks.

相关缺陷

• cwe_Nature: ChildOf cwe_CWE_ID: 756 cwe_View_ID: 1000 cwe_Ordinal: Primary

• cwe_Nature: ChildOf cwe_CWE_ID: 756 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}

常见的影响

可能的缓解方案

Implementation

策略:

Handle exceptions appropriately in source code.

['Implementation', 'System Configuration']

策略:

Always define appropriate error pages. The application configuration should specify a default error page in order to guarantee that the application will never leak error messages to an attacker. Handling standard HTTP error codes is useful and user-friendly in addition to being a good security practice, and a good configuration will also define a last-chance error handler that catches any exception that could possibly be thrown by the application.

Implementation

策略:

Do not attempt to process an error or attempt to mask it.

Implementation

策略:

Verify return values are correct and do not supply sensitive information about the system.

示例代码

例

In the snippet below, an unchecked runtime exception thrown from within the try block may cause the container to display its default error page (which may contain a full stack trace, among other things).

bad Java

分类映射

引用

• REF-65 19 Deadly Sins of Software Security