Description
Detailed application errors, caused by unhandled exceptions, pose two primary risks. Firstly, they can lead to denial of service by causing memory leaks or excessive resource consumption. Secondly, they may leak sensitive information through error messages, which attackers can exploit to target the application.
Recommendation
You should properly handle all types of exceptions and display a generic error message. You can find more details in the following.
ASP.NET
For ASP.NET, you can disable detailed errors by setting the mode attribute of the customErrors
to on
or RemoteOnly
.
Example configuration:
<configuration>
<system.web>
<customErrors defaultRedirect="YourErrorPage.aspx"
mode="RemoteOnly">
<error statusCode="500"
redirect="InternalErrorPage.aspx"/>
</customErrors>
</system.web>
</configuration>
PHP
In PHP you can disable errors by adding the below lines to your code:
ini_set('display_errors', 0);
ini_set('display_startup_errors', 0);
error_reporting(0);
You can also disable error reporting in the php.ini
file by using the below config.
display_errors = off
Java
You can set a default exception handler using the Thread.setDefaultUncaughtExceptionHandler
method to capture all unchecked and runtime errors.