Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    Disable error exposure in client side

    Hi team,

    We are doing Pentesting for our application and found one security issue with the IDAcalls. So if we intercept the transaction parameter with a invalid string in the request of IDACall we are getting below highlighted response sayng [<BR>&nbsp; "XML parser fatal error: file '(in memory stream)' line 1:
    org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; Content is not allowed in
    prolog."<BR>]. We want to restrict this error and not expose this to client side.

    Click image for larger version

Name:	ErrorExposed.png
Views:	37
Size:	99.3 KB
ID:	274123

    We have alreadt tried with the below configurations added in server.properties but its not helping. Could you please let us know if there is any other parameter which could help to restrict this error exposure.

    servlet.sendStackTraceToClient: false
    isomorphic.log.level=WARN
    isomorphic.log.xml=false


    smartclient.xml.errors.log=true
    smartclient.xml.errors.sendToClient=false

    # Custom Error Messages
    rpc.customErrorMessage=An unexpected error occurred. Please contact support.

    exception.returns.stacktrace: false

    #2
    SmartClient has survived hundreds of pentests without anyone complaining about this message (including the world's largest banks and defense contractors).

    If the reasoning behind the problem is that it reveals that the server is Java and is using standard Java libraries for XML, there are hundreds of other simple ways to figure that out - it cannot be hidden.

    So our emphatic advice would be to do nothing.

    If you want to do something anyway, subclass IDACall and catch the exception.

    Comment

    Working...
    X