Détail du CWE-7

The default error page of a web application should not display sensitive information about the product.

Modes d'introduction

Implementation

Plateformes applicables

Langue

Name: Java (Undetermined)

Technologies

Class: Web Based (Undetermined)
Name: Web Server (Undetermined)

Conséquences courantes

Mesures d’atténuation potentielles

Phases : Implementation
Handle exceptions appropriately in source code.
Phases : Implementation // System Configuration
Always define appropriate error pages. The application configuration should specify a default error page in order to guarantee that the application will never leak error messages to an attacker. Handling standard HTTP error codes is useful and user-friendly in addition to being a good security practice, and a good configuration will also define a last-chance error handler that catches any exception that could possibly be thrown by the application.
Phases : Implementation
Do not attempt to process an error or attempt to mask it.
Phases : Implementation
Verify return values are correct and do not supply sensitive information about the system.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Références

REF-6

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, Gary McGraw.
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

REF-65

19 Deadly Sins of Software Security
M. Howard, D. LeBlanc, J. Viega.

Soumission

Modifications