CWE-756: Missing Custom Error Page

Export to Word

Description

The product does not return custom error pages to the user, possibly exposing sensitive information.

Extended Description

N/A

ThreatScore

Threat Mapped score: 3.0

Industry: Finiancial

Threat priority: P2 - Serious (High)

Observed Examples (CVEs)

No observed examples available.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
None listed.

Common Consequences

Impact: Read Application Data — Notes: Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.

Potential Mitigations

None listed.

Applicable Platforms

None listed.

Demonstrative Examples

Intro: In the snippet below, an unchecked runtime exception thrown from within the try block may cause the container to display its default error page (which may contain a full stack trace, among other things).

Public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { ... } catch (ApplicationSpecificException ase) { logger.error("Caught: " + ase.toString()); } }

Intro: The mode attribute of the <customErrors> tag in the Web.config file defines whether custom or default error pages are used.

Body: In the following insecure ASP.NET application setting, custom error message mode is turned off. An ASP.NET error message with detailed stack trace and platform versions will be returned.

<customErrors mode="Off" />

Notes

No notes available.

← Back to CWE list