1. Home
  2. Web App Vulnerabilities
  3. How to remediate – Error Message
Searching...

How to remediate – Error Message

Contents

1. Introduction

Error Message is a vulnerability where an error or warning message is displayed on a remote web server. This can allow attackers to view sensitive information and potentially conduct further attacks against the system. Affected systems are typically web servers and applications that display errors directly to users. A successful exploit could lead to information disclosure, impacting confidentiality.

2. Technical Explanation

The vulnerability occurs when an application displays detailed error messages to end-users instead of logging them securely. This can expose internal paths, database queries, or other sensitive data. An attacker can intentionally trigger errors to gather this information and use it for further exploitation.

  • Root cause: Unhandled exceptions or verbose error reporting in web applications.
  • Exploit mechanism: An attacker sends a crafted request designed to generate an error message containing sensitive data. For example, submitting invalid input to a form field that triggers a database query reveal.
  • Scope: Web servers running PHP, Python, Java, .NET and other server-side languages are affected.

3. Detection and Assessment

To confirm vulnerability, check for error messages displayed in the browser during normal application use or by intentionally submitting invalid input. Thorough assessment involves reviewing application code for verbose error handling.

  • Quick checks: Attempt to submit malformed data into form fields (e.g., special characters, excessively long strings).
  • Scanning: Burp Suite and OWASP ZAP can be used to identify error messages during a web application scan. These are examples only.
  • Logs and evidence: Examine web server logs for error codes or exceptions that may indicate verbose error reporting.
# Example command placeholder:
# No specific command available, check browser output directly.

4. Solution / Remediation Steps

Disable all notice, warning and error displaying in the application configuration. Configure the application to log such messages securely to a file.

4.1 Preparation

  • Ensure you have access to the application’s configuration files and understand how to modify them. Roll back plan: Restore the original configuration file from backup.
  • A change window may be required depending on the production environment. Approval from a system administrator is recommended.

4.2 Implementation

  1. Step 1: Edit the application’s main configuration file (e.g., php.ini, web.config).
  2. Step 2: Set `display_errors` to `Off`.
  3. Step 3: Configure error logging by setting a log file path using directives like `error_log` in PHP or configuring logging frameworks in other languages.

4.3 Config or Code Example

Before

display_errors = On
error_reporting = E_ALL

After

display_errors = Off
error_reporting = E_ALL
error_log = /var/log/application_errors.log

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

  • Practice 1: Secure logging to prevent sensitive information from being exposed in log files.
  • Practice 2: Input validation to reduce the likelihood of triggering errors through malicious input.

4.5 Automation (Optional)

# Example PowerShell snippet for updating php.ini on Windows:
# (This is an example only - adapt to your environment)
# $phpIniPath = "C:pathtophp.ini"
# (Get-Content $phpIniPath) | ForEach-Object { $_ -replace 'display_errors = On', 'display_errors = Off' } | Set-Content $phpIniPath

5. Verification / Validation

Confirm the fix by attempting to trigger an error condition and verifying that no sensitive information is displayed in the browser. Re-test by submitting invalid input and checking for errors. Perform a basic service smoke test to ensure functionality remains intact.

  • Post-fix check: Submit malformed data into form fields; expect a generic error message or blank page, not detailed error information.
  • Re-test: Repeat the initial detection steps and confirm no sensitive error messages are displayed.
  • Smoke test: Verify core application functionality (e.g., login, search) still works as expected.
  • Monitoring: Monitor web server logs for new errors that may indicate a regression or unexpected behavior.
# Post-fix command and expected output
# No specific command available; check browser output directly. Expect no detailed error messages.

6. Preventive Measures and Monitoring

Update security baselines to include secure error handling configurations. Implement checks in CI/CD pipelines to prevent verbose error reporting from being deployed. Establish a regular patch or configuration review cycle.

  • Baselines: Update security baselines to enforce `display_errors = Off` and proper logging configurations.
  • Pipelines: Integrate SAST tools into the CI/CD pipeline to identify potential error handling vulnerabilities in code.
  • Asset and patch process: Review application configuration changes regularly as part of a vulnerability management program.

7. Risks, Side Effects, and Roll Back

Disabling error display may make debugging more difficult. Ensure adequate logging is configured to capture sufficient information for troubleshooting. To roll back, restore the original configuration file from backup.

  • Risk or side effect 1: Reduced visibility into application errors during development and testing. Mitigation: Configure detailed logging.
  • Risk or side effect 2: Potential impact on existing monitoring tools that rely on error messages. Mitigation: Update monitoring configurations to use log data instead of displayed errors.
  • Roll back: Restore the original configuration file from backup, then restart the web server service.

8. References and Resources

  • Vendor advisory or bulletin: N/A – This is a general configuration issue, not specific to one vendor.
  • NVD or CVE entry: https://www.owasp.org/index.php/Error_Handling
  • Product or platform documentation relevant to the fix: Refer to your specific web server and application framework documentation for error handling configuration options.
Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles