CWE-756 定制错误页面缺失
Missing Custom Error Page
结构: Simple
Abstraction: Class
状态: Incomplete
被利用可能性: unkown
基本描述
The software does not return custom error pages to the user, possibly exposing sensitive information.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 755 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: CanPrecede cwe_CWE_ID: 209 cwe_View_ID: 1000
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Confidentiality | Read Application Data | Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application. |
示例代码
例
In the snippet below, an unchecked runtime exception thrown from within the try block may cause the container to display its default error page (which may contain a full stack trace, among other things).
bad Java
} catch (ApplicationSpecificException ase) {
}
}
例
An insecure ASP.NET application setting:
bad ASP.NET
Custom error message mode is turned off. An ASP.NET error message with detailed stack trace and platform versions will be returned.
Here is a more secure setting:
good ASP.NET
Custom error message mode for remote users only. No defaultRedirect error page is specified. The local user on the web server will see a detailed stack trace. For remote users, an ASP.NET error message with the server customError configuration setting and the platform version will be returned.
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论