CWE-7: J2EE Misconfiguration: Missing Custom Error Page
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The default error page of a web application should not display sensitive information about the product.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
说明: A stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.
潜在缓解措施
阶段: Implementation
描述: Handle exceptions appropriately in source code.
阶段: Implementation System Configuration
描述: Always define appropriate error pages. The application configuration should specify a default error page in order to guarantee that the application will never leak error messages to an attacker. Handling standard HTTP error codes is useful and user-friendly in addition to being a good security practice, and a good configuration will also define a last-chance error handler that catches any exception that could possibly be thrown by the application.
阶段: Implementation
描述: Do not attempt to process an error or attempt to mask it.
阶段: Implementation
描述: Verify return values are correct and do not supply sensitive information about the system.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | J2EE Misconfiguration: Missing Error Handling | - |