Evaluated as Improper Error Handling according to OWASP, in our language Non-Customized Error Page Details of this vulnerability are given below.
What is an Error Page?
Web applications can create error conditions during operation. These errors consist of out of memory, null pointer exceptions, system call errors, database unavailable, network timeout, and dozens of other outputs. Error pages that are misconfigured by the administrator or not customized at all and that occur by default give a meaningful error message to the user. All web servers, application servers, and web application environments are prone to error handling issues.
How Does Uncustomized Error Page Affect the System?
Error pages, which give an error message to the user about the system, can provide information about the related web application, such as server name, version properties, if not customized by the administrator. This information reveals implementation details that should never have been exposed. Therefore, such details can provide attackers with important clues about potential flaws in the site. Based on these clues, the attacker shapes the other attack stages accordingly.
How to Detect Non-Customized Error Page?
HTTP response status codes fall into five categories. The first digit of the status code defines the class of the response. Requests to be made according to these status codes provide the necessary output.
|HTTP Response Status Code
|Request received, process in progress
|Request successfully received, understood and accepted
|Further action required to complete the request
|The request contains incorrect syntax or cannot be fulfilled
|The server could not fulfill a valid request
How to Edit Non-Customized Error Page?
Types of errors should only be provided as helpful feedback to the user. In this feedback, a policy should be drawn up on what information to convey to the user, how errors will be handled, and error pages should be created accordingly. When errors occur, respond with a specially designed result, without revealing unnecessary details. Error classes must be logged in order to detect application errors or attacks on the site.