Detailed Application Error
Impact: Medium
Description
Unhandled exceptions have two primary risks.
- Denial of service: When an unhandled exception occurs, it might cause memory leakage or consume server resources by performing more process than usual.
- Leaking information: Unhandled exceptions can generate error messages with sensitive information. When these error messages are shown to users, attackers can take advantage of them to develop their attack on the target.
Recommendation
You should properly handle all types of exceptions and display a generic error message. You can find more details in the following.
ASP.NET
For ASP.NET, you can disable detailed errors by setting the mode attribute of the customErrors
to on
or RemoteOnly
.
Example configuration:
<configuration>
<system.web>
<customErrors defaultRedirect="YourErrorPage.aspx"
mode="RemoteOnly">
<error statusCode="500"
redirect="InternalErrorPage.aspx"/>
</customErrors>
</system.web>
</configuration>
PHP
In PHP you can disable errors by adding the below lines to your code:
ini_set('display_errors', 0);
ini_set('display_startup_errors', 0);
error_reporting(0);
You can also disable error reporting in the php.ini
file by using the below config.
display_errors = off
Java
You can set a default exception handler using the Thread.setDefaultUncaughtExceptionHandler
method to capture all unchecked and runtime errors.
References
👉 You might also like:
Detailed Application and Database Error - Vulnerability
Werkzeug Interactive Debugging is Active - Vulnerability
Application and Database Error - Vulnerability
Application Error - Vulnerability
Last updated on June 06, 2022