Vulnerability Fixation : Error Page Disclosure

  1. Home
  2. VULNERABILITIES

What is Error Page Disclosure?

Any web application displays an error page to let the users know that something went wrong. Improper configuration of such error page would lead to unintentional exposure of sensitive information like file path, stack trace, server information.

Why shouldn’t we disclose web server information?

Through the web server information disclosed through the error page, any hacker could exploit known vulnerability associated with specific software version or configuration.

How do we get to see any server information through an error page of a web application?

Manual Ways

  1. We could type an incorrect URL (ex. non-existent URL) / submitting invalid data in form (ex. submitting a form having missing data). The server would provide us an error page Check this error page for any server version information.
  2. Checking the HTML source code of an error page for any server version information.
  3. Check for server version information in server headers and footers

Using Proxy -

Use any proxy tool like Burp Suite to intercept and inspect HTTP requests and response. Analyze the error page intercepted by proxy to check for presence of server version information in response headers or body.

Scanning Tools -

Using tool like OWASP ZAP to scan the web application for vulnerabilities including server version disclosure.

Error Page Analysis -

Some error page may include default templates disclosed by the web server software which could disclose web server information.

How to prevent Apache server from disclosing web server information?

  1. In Apache server’s configuration file which is ‘httpd.conf’, ensure the presence of following directives.
    2. ServerSignature Off - Ensures server signature is disabled. ServerTokens Prod - Ensures minimum information is provided by the server in the server response header.
  2. Creating custom error page for common HTTP error codes and remove any references to server version or operating system.
  3. Configuring firewall rules to restrict access to server sensitive information.

How to prevent IIS server from disclosing web server information?

1. Modifying Response Headers

  • - Open IIS Manager.
  • - Select the required website from the connections panel on left.
  • - Double click on ‘HTTP Response Headers’ feature.
  • - Click on ‘Add…’ in the Actions pane.
  • - Enter ‘Server’ as the name and leave the value blank.
  • - Click OK to add the header.
  • - You could (optionally) remove any unnecessary headers which could reveal any server information.

2. Modifying configuration file

  • - Open your application’s ‘web.config’ file in a Text editor.
  • - Proceed to section within this file. If this section is absent, create this section.
  • - Add/modify element within this section using the following code.

        <configuration>
             <system.webServer>
              <httpErrors existingResponse="PassThrough" />
             </system.webServer>
        </configuration>

  • - Save the ‘web.config’ file.
  • - This would lead to the remote users not being able to access the detailed error pages.
  • - So, the unauthorized users won’t have an access to this privileged information.

    • How to prevent Tomcat server from disclosing web server information?

    1. Modifying Response Headers

    • - In your Tomcat installation, open the ‘web.xml’ file in the ‘conf’ directory.
    • - Proceed to element for ‘ResponseHeader’ filter. If this element is absent, create this section under element.
    • - Configure ‘ResponseHeader’ filter to remove server headers.
            <filter >
                <filter-name>RemoveServerHeaderFilter</filter-name >
                <filter-class>org.apache.catalina.filters.SetAllHeadersFilter</filter-class >
                <init-param >
                <param-name>setServer</param-name >
                <param-value>false</param-value >
                </init-param >
            </filter >

             <filter-mapping >
                  <filter-name>RemoveServerHeaderFilter</filter-name >
                  <url-pattern>/*</url-pattern >
             </filter-mapping >


    2. Modify Server Configuration

    • - In your Tomcat installation, open the ‘server.xml’ file in the ‘conf’ directory.
    • - Proceed to element which defines the ports on which Tomcat server listens. (8080 for HTTP and 8443 for HTTPS)
    • - Add server = “ ”, serverInfo = “ ”, xpoweredBy = “false” attributes in this element.

            <Connector port="8080" protocol="HTTP/1.1"
                connectionTimeout="20000"
                redirectPort="8443"
                server=""
                serverInfo=""
            xpoweredBy="false" />

    3. Disable server information in error page

    • - In your Tomcat installation, open the ‘web.xml’ file in the ‘conf’ directory.
    • - Proceed to element.
    • - Configure custom error pages and ensure that they do not reveal server information.

        <error-page >
          <error-code>500 < /error-code >
          <location>/errors/500.html</location >
        </error-page >

         <error-page >
           <error-code>404</error-code >
           <location>/errors/404.html</location >
        </error-page >
    Author Avatar

    Vaibhavi Nayak

    Cyber Security Analyst

    Location: Pune, India

    Vaibhavi is a web and network Pentester and ethusiast in cyber security domain. Her primary focus is on Vulnerability Assessment and Penetration testing of corporate networks, firewalls, web and cloud apps, mobile apps. Coming from Electronics enggineering background, she has a passion to get into the world of IoT and OT Cyber security. She is always on the path of learning and trying new things in the domain she likes.