Detailed Application Error

Description

Unhandled exceptions have two primary risks.

• Denial of service: When an unhandled exception occurs, it might cause memory leakage or consume server resources by performing more process than usual.
• Leaking information: Unhandled exceptions can generate error messages with sensitive information. When these error messages are shown to users, attackers can take advantage of them to develop their attack on the target.

Recommendation

You should properly handle all types of exceptions and display a generic error message. You can find more details in the following.

ASP.NET

For ASP.NET, you can disable detailed errors by setting the mode attribute of the customErrors to on or RemoteOnly.

Example configuration:

<configuration>
  <system.web>
    <customErrors defaultRedirect="YourErrorPage.aspx"
                  mode="RemoteOnly">
      <error statusCode="500"
             redirect="InternalErrorPage.aspx"/>
    </customErrors>
  </system.web>
</configuration>

PHP

In PHP you can disable errors by adding the below lines to your code:

ini_set('display_errors', 0);
ini_set('display_startup_errors', 0);
error_reporting(0);

You can also disable error reporting in the php.ini file by using the below config.

display_errors = off

Java

You can set a default exception handler using the Thread.setDefaultUncaughtExceptionHandler method to capture all unchecked and runtime errors.

References

• OWASP: Error Handling Cheat Sheet
• CWE-209
• CWE-200
• OWASP 2007-A6
• OWASP 2021-A1
• OWASP 2021-A4