by Horatiu Dan

While in development mode, it makes sense for the working environment to signal errors and provide as many insightful details as possible so that they are easily addressed and documented.

In production, on the other hand, it is a good practice to limit the details provided to the user in case of an error, especially if these nether contribute to the UI experience nor help in general.

As someone once said, “sometimes less is more” and the main argument here is the appliacation security.

This post describes how to configure Tomcat so that in case of unexpected errors it hides pieces of information valuable for a potential attacker. Such details are the server version and the stack trace as parts of the error page.

By default, in case of an application error Tomcat displays a page as below:

When looking at it, a common user can depict the application runs on Apache Tomcat, version 9.0.40. Moreover, the stack trace presents enough pieces of information that a more experienced user may read and infer about the used version of some appliaction dependencies. For instance, a certain line is observed, then looked up into the source code and the version is deduced.

The next step is to reseach about any know vulnerabilities of the actual Tomcat version or of the corresponding dependency. Based on these, an exploit can be constructed afterwards.

The particular solution for the exposure is to cease displaying these details in the error page.

In order to achieve this, org.apache.catalina.valves.ErrorReportValve shall be configured in the $TOMCAT_HOME/conf/server.xml file and showReport and showServerInfo attributes set to false.

... <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> ... <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/> ... </Host> ...

According to Tomcat documentation:

• showReport is a flag that determines if the error report (custom error message and/or stack trace) is presented when an error occurs. If set to false, then the error report is not returned in the HTML response
• showServerInfo is a flag thato determines if server information is presented when an error occurs. If set to false, then the server version is not returned in the HTML response

After chaning the configuration and restarting the Tomcat instance, the result can be seen in the below image:

Obviously there are no details, only a neutral error page.

The picture was taken in 2021, view from the Rasnov Citadel, Romania.