CWE-7 - J2EE Misconfiguration: Missing Custom Error Page
CWE-7
- Abstraction:
- Variant
- Structure:
- Simple
- Status:
- Incomplete
- Weakness Name
J2EE Misconfiguration: Missing Custom Error Page
- Description
The default error page of a web application should not display sensitive information about the product.
A Web application must define a default error page for 4xx errors (e.g. 404), 5xx (e.g. 500) errors and catch java.lang.Throwable exceptions to prevent attackers from mining information from the application container's built-in error response. When an attacker explores a web site looking for vulnerabilities, the amount of information that the site provides is crucial to the eventual success or failure of any attempted attacks.
- Common Consequences
Scope: Confidentiality
Impact: Read Application Data
Notes: A stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.
- Related Weaknesses
- Release Date:
- 2006-07-19
- Latest Modification Date:
- 2023-06-29
Free security scan for your website