Different Server Configuration Techniques for Custom Errors

In general, leaking unnecessary information about software behavior significantly aids an attacker in finding weaknesses within your application. Examples include software version information that can be used to footprint a potentially vulnerable version of an application, and error details related to an application failure, such as a SQL syntax error that occurs on the database server.

We’re going to look at ways to suppress this information declaratively within application deployment descriptor files and hardening the Web server configuration.

For ASP.NET Web application

In web.config file, set customErrors to On or RemoteOnly and defaultRedirect to the page for display. Make sure that the page which you set for display should be there in respective location.

Code –

<customErrors mode=”On”
defaultRedirect=”/error.aspx”>
</customErrors>

For J2EE Web application

In the web.xml file, configure the <error-page> element with an <error-code> and <location> element.

Code –

<error-page>
<error-code>500</error-code>
<location>/error.html</location>
</error-page>

Classic ASP/VBScript Web application

IIS must be configured to suppress detailed ASP error messages. You can use the following procedure to configure this setting:

  • In the IIS Manager, right-click the Web site and select Properties.
  • On the Home Directory tab, click the Configuration button. Ensure that the Send text error message to client option is checked, and that an appropriate message exists in the textbox below this option.

PHP Web application

In the php.ini file, set display_errors = Off. Additionally, configure a default error document in the Web server configuration.

Apache Web server

Add the ErrorDocument directive to Apache (inside the configuration file, usually httpd.conf) that points to the custom page.

Code –

ErrorDocument 500 /error.html

IIS

To configure custom errors in IIS you can use the following procedure:

  • In the IIS Manager Snap-In, right-click the Web site and select Properties.
  • On the Custom Errors tab, click the Configuration button. Highlight the HTTP error to be customized and click the Edit button. You can then select a file or URL from the Message Type drop down to be used in place of the default.
You may also like:

Sarcastic Writer

Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.

Related Posts