In general, leaking unnecessary information about software behavior significantly aids an attacker in finding weaknesses within your application. Examples include software version information that can be used to footprint a potentially vulnerable version of an application, and error details related to an application failure, such as a SQL syntax error that occurs on the database server.
We’re going to look at ways to suppress this information declaratively within application deployment descriptor files and hardening the Web server configuration.
For ASP.NET Web application
In web.config file, set customErrors to On or RemoteOnly and defaultRedirect to the page for display. Make sure that the page which you set for display should be there in respective location.
For J2EE Web application
In the web.xml file, configure the <error-page> element with an <error-code> and <location> element.
Classic ASP/VBScript Web application
IIS must be configured to suppress detailed ASP error messages. You can use the following procedure to configure this setting:
- In the IIS Manager, right-click the Web site and select Properties.
- On the Home Directory tab, click the Configuration button. Ensure that the Send text error message to client option is checked, and that an appropriate message exists in the textbox below this option.
PHP Web application
In the php.ini file, set display_errors = Off. Additionally, configure a default error document in the Web server configuration.
Apache Web server
Add the ErrorDocument directive to Apache (inside the configuration file, usually httpd.conf) that points to the custom page.
ErrorDocument 500 /error.html
To configure custom errors in IIS you can use the following procedure:
- In the IIS Manager Snap-In, right-click the Web site and select Properties.
- On the Custom Errors tab, click the Configuration button. Highlight the HTTP error to be customized and click the Edit button. You can then select a file or URL from the Message Type drop down to be used in place of the default.