Hi Tomcat Support, Based on our current setup, Apache Tomcat Version 9.0.65 is installed on top of Windows Operating System. The server is basically dedicated for an API-based Program where there is an integration process occur between our API & client’s Application.
We had gone through a Penetration Test activity recently and there is 1 test case that we encounter related to error handling in Tomcat. What the pen-tester do is they purposely insert the wrong formatting input validation just to see the response received on Client’s Application level. However, the input not even submitted to Application level since it has been removed/eliminated automatically by the Tomcat and generate some technical error message. According to the pen-tester team, that error message should be customize to non-technical message to avoid any exploitation activity occur. We had tried to find solution for that in Tomcat, however we can’t implement as they requested. Hence, we would like to get clarification from Tomcat Team, is there any ways that the error message can be customize in Tomcat? And is there any potential risk that Application might have when this kind of error message is being exposed? Sample of the Tomcat error message response as below: <S: Envelope xmlns: S=http://schemas.xmlsoap.org/soap/envelope.> <S:Body> <S:Fault xmlns:ns4=http://www.w3.org/2003/05/soap-envelope> <faultcode>S:Server</faultcode> <faultstring>javax.xml.bind.UnmarchalException -with linked exception: [com.ctc.wstx.exc.WstcParsingException: String ‘]]>’ not allowed in textual content, except as the end marshalexception at [row,col {unknown-source}]: [8,26]]</faultstring> </S:Fault> </S:Body> </S:Envelope> Thanks and have a good day, Amir Project Manager Project Management Office MSC Trustgate.com Sdn. Bhd. (478231-x) Suite 2-9,Level 2, Block 4801 CBD Perdana, Jalan Perdana 63000 Cyberjaya Selangor Darul Ehsan Malaysia Tel: +603 8318 1800 Fax: +603 8319 1800 HP: +6017 3913905 a...@msctrustgate.com
