SkipFish found way more than WebSecurify but there were more false positives than real issues, however it allowed me to find out that actually 500 and 404 errors were not be handled and instead plain tomcat headers were coming back to the browser.
Of course the is a simple solution for this: Adding these entries to web.xml:
<error-page> <error-code>500</error-code> <location>/serverError.html</location> </error-page> <error-page> <error-code>404</error-code> <location>/notFound.html</location> </error-page>
You could get more sophisticated but the above at least protects your system from exposing back end server type and version to potential intruders.
No comments:
Post a Comment