Details
Alert ID 90022
Alert Type Passive
Status release
Risk Medium
CWE 200
WASC 13
Technologies Targeted All
Tags CUSTOM_PAYLOADS
CWE-200
OWASP_2017_A06
OWASP_2021_A05
WSTG-V42-ERRH-01
WSTG-V42-ERRH-02
More Info Scan Rule Help

Summary

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

Solution

Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

Other Info

References

Code

org/zaproxy/zap/extension/pscanrules/ApplicationErrorScanRule.java