Missing Custom Error Page
This vulnerability occurs when an application fails to display its own user-friendly error pages, instead falling back to default system messages that can leak sensitive technical details.
When an application crashes or encounters an unexpected condition, the web server or framework often generates a default error response. These generic pages can be a goldmine for attackers, revealing stack traces, database schemas, server versions, internal file paths, or snippets of code. This exposed information significantly lowers the effort required for further exploitation, as it provides clear clues about the underlying technology and potential weaknesses. To prevent this, developers should implement a centralized error handler that intercepts all uncaught exceptions and HTTP error statuses (like 404 or 500). This handler must then respond with a consistent, branded page that informs the user a problem occurred—without any technical details—while logging the full diagnostic information securely on the server side for internal debugging. This simple practice improves both security and user experience.
Impact: Read Application Data
Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.
ID : DX-76
In the snippet below, an unchecked runtime exception thrown from within the try block may cause the container to display its default error page (which may contain a full stack trace, among other things).Code Example:
javaID : DX-75
The mode attribute of the <customErrors> tag in the Web.config file defines whether custom or default error pages are used.Code Example:
asp.netCode Example:
asp.netCode Example:
asp.net