Vulnerabilities/

Detailed Application Error

Severity:
Medium

Description

Detailed application errors, caused by unhandled exceptions, pose two primary risks. Firstly, they can lead to denial of service by causing memory leaks or excessive resource consumption. Secondly, they may leak sensitive information through error messages, which attackers can exploit to target the application.

Recommendation

You should properly handle all types of exceptions and display a generic error message. You can find more details in the following.

ASP.NET

For ASP.NET, you can disable detailed errors by setting the mode attribute of the customErrors to on or RemoteOnly.

Example configuration:

<configuration>
  <system.web>
    <customErrors defaultRedirect="YourErrorPage.aspx"
                  mode="RemoteOnly">
      <error statusCode="500"
             redirect="InternalErrorPage.aspx"/>
    </customErrors>
  </system.web>
</configuration>

PHP

In PHP you can disable errors by adding the below lines to your code:

ini_set('display_errors', 0);
ini_set('display_startup_errors', 0);
error_reporting(0);

You can also disable error reporting in the php.ini file by using the below config.

display_errors = off

Java

You can set a default exception handler using the Thread.setDefaultUncaughtExceptionHandler method to capture all unchecked and runtime errors.

References

Related Issues

Tags:
PHP
ASP.NET
Flask
Django
Information Disclosure
Denial of Service
Error Handling
Anything's wrong? Let us know Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue

Download