CWE-756 定制错误页面缺失

Missing Custom Error Page

结构: Simple

Abstraction: Class

状态: Incomplete

被利用可能性: unkown

基本描述

The software does not return custom error pages to the user, possibly exposing sensitive information.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 755 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: CanPrecede cwe_CWE_ID: 209 cwe_View_ID: 1000

常见的影响

范围 影响 注释
Confidentiality Read Application Data Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.

示例代码

In the snippet below, an unchecked runtime exception thrown from within the try block may cause the container to display its default error page (which may contain a full stack trace, among other things).

bad Java

Public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
try {
...
} catch (ApplicationSpecificException ase) {
logger.error("Caught: " + ase.toString());
}
}

An insecure ASP.NET application setting:

bad ASP.NET

<customErrors mode="Off" />

Custom error message mode is turned off. An ASP.NET error message with detailed stack trace and platform versions will be returned.

Here is a more secure setting:

good ASP.NET

<customErrors mode="RemoteOnly" />

Custom error message mode for remote users only. No defaultRedirect error page is specified. The local user on the web server will see a detailed stack trace. For remote users, an ASP.NET error message with the server customError configuration setting and the platform version will be returned.