Servlet Runtime Error Message Containing Sensitive Information
This vulnerability occurs when a Java servlet application displays detailed runtime error messages that reveal sensitive information about the application's internal structure, such as stack traces, file paths, or database queries. These unhandled exception details can give attackers critical insights to craft further exploits.
When an uncaught exception occurs in a servlet, the default error pages or overly verbose logging often dump the full stack trace and error context directly into the HTTP response. This information is gold for an attacker, as it can expose underlying technologies, framework versions, SQL query structures, internal file system paths, and even snippets of your business logic. It essentially provides a roadmap of your application's weaknesses and internal architecture. To prevent this, you should implement a global error handler that catches all unhandled exceptions and returns a generic, user-friendly error message to the client, while logging the detailed diagnostic information securely on the server side. Always ensure your application is deployed in production mode, which typically suppresses verbose debugging output, and regularly test error conditions to verify no sensitive data leaks through these channels.
Impact: Read Application Data
The error message may contain the location of the file in which the offending function is located. This may disclose the web root's absolute path as well as give the attacker the location of application files or configuration information. It may even disclose the portion of code that failed. In many cases, an attacker can use the data to launch further attacks against the system.
ID : DX-190
The following servlet code does not catch runtime exceptions, meaning that if such an exception were to occur, the container may display potentially dangerous information (such as a full stack trace).Code Example:
java// May cause unchecked NullPointerException.* if (username.length() < 10) { ``` ... } }