Bug #16602

[MW-2][BE] Poor Error Handling

Added by Nor Khairun Aqila Jesmen over 1 year ago. Updated about 1 year ago.

Status:ClosedStart date:13 June 2023
Priority:HighDue date:20 June 2023
Assignee:Nor Khairun Aqila Jesmen% Done:

100%

Category:-Spent time:-
Target version:-

Description

Description:
The application returns error message containing stack traces. If reproduced, some error conditions can lead to default error pages generated by the server.

Fixes:
Create 1 customize error message screen for any default error messages. BIBD to advise the error message

Apply all fixes to both System Owner and Partner

MW-2 Fixes.docx (115 KB) Nur Azza Syazwany Azizol, 26 June 2023 11:41 AM

MW-2 Fixes v1.1.docx - Latest Updated Document (116 KB) Nur Azza Syazwany Azizol, 26 June 2023 11:47 AM

MW-2 Fixes v1.2.docx (186 KB) Nur Azza Syazwany Azizol, 26 June 2023 02:08 PM

History

#1 Updated by Nur Azza Syazwany Azizol over 1 year ago

  • File MW-2 Fixes.docx added
  • Status changed from New to Resolved
  • Assignee changed from Nur Azza Syazwany Azizol to Nor Khairun Aqila Jesmen
  • % Done changed from 0 to 100

Modify web.xml:

1. Add
<error-page>
<error-code>400</error-code>
<location>/cc_iam/WEB-INF/vm/400.vm</location>
</error-page>

<error-page>
<error-code>404</error-code>
<location>/cc_iam/WEB-INF/vm/404.vm</location>
</error-page>

<error-page>
<error-code>500</error-code>
<location>/cc_iam/WEB-INF/vm/500.vm</location>
</error-page>

2. Add ServerInfo.properties in new created folder(s) org/apache/catalina/util

3. Enable httpHeaderSecurity

4. Add hstsEnabled
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>

5. Enable filter-mapping httpHeaderSecurity

6. Add in session-config section
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>

Reference:
1. https://docs.bmc.com/docs/security/basic-tomcat-security-configuration-recommendations-924057229.html
2. https://eliarms.medium.com/how-to-implement-httponly-and-secure-cookie-in-web-servers-ebad20427b94

#2 Updated by Nur Azza Syazwany Azizol over 1 year ago

Attached updated document v1.1

#3 Updated by Nor Khairun Aqila Jesmen over 1 year ago

  • Status changed from Resolved to In Progress
  • Assignee changed from Nor Khairun Aqila Jesmen to Nur Azza Syazwany Azizol
  • % Done changed from 100 to 80

To display customized screen when hit error 400,404,500

Error message either
Invalid browser action

or
Invalid browser action
You have either clicked on the browser's back/forward button or refreshed the page, which is not allowed.
For security reasons, we have logged you out and apologise for any inconvenience caused.

#4 Updated by Nur Azza Syazwany Azizol over 1 year ago

  • File MW-2 Fixes v1.2.docx added
  • Status changed from In Progress to Resolved
  • Assignee changed from Nur Azza Syazwany Azizol to Nor Khairun Aqila Jesmen
  • % Done changed from 80 to 100

CHANGES (SYSTEM OWNER AND MERCHANT)

  1. Create new ServerInfo.properties file in new created folder(s) /lib/org/apache/catalina/util to remove Tomcat version
  1. Modify server.xml to display custom static error page for all different error context

Add ErrorReportValve in Host section

  1. Modify web.xml:

Enable httpHeaderSecurity
Add hstsEnabled
Enable filter-mapping httpHeaderSecurity
Add cookie-config in session-config section

Reference:
  1. https://docs.bmc.com/docs/security/basic-tomcat-security-configuration-recommendations-924057229.html
  2. https://eliarms.medium.com/how-to-implement-httponly-and-secure-cookie-in-web-servers-ebad20427b94
  3. https://stackoverflow.com/questions/52814582/tomcat-is-not-redirecting-to-400-bad-request-custom-error-page

#5 Updated by Nor Khairun Aqila Jesmen about 1 year ago

  • Status changed from Resolved to Closed

Closed

Also available in: Atom PDF