How To Disable Custom Errors Excessive Information

  1. Home
  2. VULNERABILITIES

Apache

To prevent Apache to not to display these information to the world, we need to make some changes in Apache main configuration file.

ServerSignature Off
ServerTokens Prod

IIS

A Web site's error pages are often set to show detailed error information for troubleshooting purposes. However, to prevent unauthorized users from viewing privileged information, you should make sure that detailed error pages will not be seen by remote users.

To prevent IIS7 hijacking your error pages, set existingResponse="PassThrough" in your httpErrors section in your web.config file. For example:
<configuration>
  <system.webServer>
     <httpErrors existingResponse="PassThrough" />
  </system.webServer>
</configuration>

To set the custom errors error mode to DetailedLocalOnly or Custom

  • Click Start, click Control Panel, and then click Administrative Tools.
  • Right-click Internet Information Services (IIS) Manager and select Run as administrator.
  • In the Connections pane on the left, expand the computer, then expand the Sites folder.
  • Select the Web site or application that you want to configure.
  • In Features View, select Error Pages. In the Actions pane, select Open Feature.
  • In the Actions pane, select Edit Feature Settings.
  • In the Edit Error Pages Settings dialog, under Error Responses, select either Custom error pages or Detailed errors for local requests and custom error pages for remote requests.
  • Click OK to exit the Edit Error Pages Settings dialog.

To prevent information leakage by using custom error pages, apply the following changes to your web.config file from HTTP responses.

<System.Web>
   <httpRuntime enableVersionHeader="false" />
       <customErrors mode="On" defaultRedirect="~/error/GeneralError.aspx">
           <error statusCode="403" redirect="~/error/Forbidden.aspx" />
          <error statusCode="404" redirect="~/error/PageNotFound.aspx" />
          <error statusCode="500" redirect="~/error/InternalError.aspx" />
      </customErrors>
</System.Web>

Tomcat

Using a configuration where the webapp is deployed into the Tomcat ROOT context and assuming you have a custom error 500 and 404 page already developed, you would add the following to your ROOT web applications's web.xml configuration, which is typically located in $CATALINA_HOME/webapps/ROOT/:

<error-page>
    <error-code>500</error-code>
    <location>/errors/500.html</location>
  </error-page>
  <error-page>
    <error-code>404</error-code>
    <location>/errors/404.html</location>
</error-page>

Content Sniffing Header Vulnerability, Admin Interface Externally Open

Content Sniffing Not Disabled

OWASP Top 10 Security Testing, Content Sniffing Not Disabled

Session Cookie Found Without Secure Flag Set.

Session Cookie Found Without Secure Flag Set, Web App Security Testing Services Company

How To Enable Content Sniffing?

How To Enable Content Sniffing?, Content Sniffing Header Vulnerability

Clickjacking: X-Frame-Options Header Missing

OWASP Top 10 Security Testing , Clickjacking: X-Frame-Options Header Missing

Error Page Discloses Web Server Version

Web App Security Testing Services Company, Clickjacking: X-Frame-Options Header Missing

Error Page Discloses Web Server Version

Error Page Discloses Web Server Version, Content Sniffing Header Vulnerability

How To Disable Web Dav Extensions?

Error Page Discloses Web Server Version, OWASP Top 10 Security Testing

How To Configure Access-Control-Allow-Origin Header?

Web App Security Testing Services Company, How To Disable Web Dav Extensions?

How To Disable Custom Errors At Webroot?