Disable the default stacktrace error response in Jetty - error-handling

We received a PenTest finding stating that the stack trace given from the 400 "Unable to Parse" Jetty error (below) gives the attacker too much information and we should disable that part of the error response.
I'm reading through the documentation on error handling but I'm pretty new to both eclipse and jetty. It's unclear to me what I should do.
For example I think where I make the change depends on whether or not we're using WebAppContext, but I don't know how to find out if we are using that or not.
All I've managed to do is find our web.xml file inside WEB_INF/web.xml
Here's the error response: the stack trace continues much further but I shortened here for brevity sake.
HTTP ERROR 400 Unable to parse URI query
URI:
STATUS: 400
MESSAGE: Unable to parse URI query
SERVLET: Portal
CAUSED BY: org.eclipse.jetty.http.BadMessageException: 400: Unable to parse URI query
CAUSED BY: org.eclipse.jetty.util.Utf8Appendable$NotUtf8Exception: Not valid UTF8! byte Bf in state 0
Caused by:
org.eclipse.jetty.http.BadMessageException: 400: Unable to parse URI query
at org.eclipse.jetty.server.Request.getParameters(Request.java:449)
at org.eclipse.jetty.server.Request.getParameter(Request.java:1059)
at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:194)
at com.gce2000.common.servlet.CrossScriptingFilter$XSSRequestWrapper.getParameter(CrossScriptingFilter.java:94)

In your WEB-INF/web.xml just specify an HTML (or Servlet, or JSP) that can handle your error.
<web-app>
<error-page>
<!-- Bad Request -->
<error-code>400</error-code>
<location>/error-bad-request.html</location>
</error-page>
</web-app>
You can declare error-page's for status codes and Exceptions.
You might want to also declare the global one (make sure your WEB-INF/web.xml is using Servlet 3.0 or better)
<web-app>
<error-page>
<location>/error-general.html</location>
</error-page>
</web-app>

Related

Custom error page in tomcat for HTTP 501 error

Before anything else, I've already read all those solutions that says I put an error-page block in my application's or tomcat's conf/web.xml and add an error-code block inside with the corresponding location and those didn't work (did those for 404 errors and those worked).
What I already did inside my application's and tomcat's web.xml:
<error-page> <!-- this worked -->
<error-code>404</error-code>
<location>/pageNotFound.html</location>
</error-page>
<error-page> <!-- this did not work -->
<error-code>501</error-code>
<location>/pageNotFound.html</location>
</error-page>
I'm using Tomcat 8.5.63, and the goal is to remove the "Apache Tomcat/8.5.63" part on the response whenever a 501 error appears.
I want to remove this part:
tomcat error response page
The way I'm testing this is that I intercept a request using a pentest tool (I'm using burp suite community) and modify a request to include a Transfer-Encoding: cow header (yes I know that header is invalid).
Any ideas on how to implement a custom page so that the 501 can be handled properly?
The error pages you declare are used in two situations:
To allow developers to customize the appearance of content returned to a Web client
when a servlet generates an error, the deployment descriptor defines a list of error
page descriptions. The syntax allows the configuration of resources to be returned by
the container either when a servlet or filter calls sendError on the response for
specific status codes, or if the servlet generates an exception or error that propagates
to the container.
(Servlet 4.0 Specification, section 10.9.2)
In your case the error happens much earlier during the processing of the HTTP request itself. Therefore you need to modify the server's configuration (server.xml) and add a custom ErrorReportValve (cf. documentation). If all you want is to omit the server's version string, just add:
<Host>
<Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" />
...
</Host>

Minio uploads through the web interface and API receives "Unauthorized request."

I can successfully upload files to my Minio server using mc command line client (logged in as root):
./mc cp roobina.jpg minio/mag
roobina.jpg: 63.50 KiB / 63.50 KiB
But when I try to upload a file to a bucket using minio's own web interface I receive this error:
Unauthorized request.
When using api (in a php application using AmazonS3 libraries), I receive this error:
Error:Error executing "PutObject" on "https://s3.***.net/clbu/public/4d/4b/d1ad580690058a636ad58e5af931541336ec.jpg"; AWS HTTP error: Client error: `PUT https://s3.***.net/clbu/public/4d/4b/d1ad580690058a636ad58e5af931541336ec.jpg` resulted in a `403 Forbidden` response:
Forbidden (truncated...) Unable to parse error information from response - Error parsing XML: String could not be parsed as XML
Could someone please help?
After looking at different possible causes, I found that mod_security of apache (used as reverse proxy of minio:9000) was interfering with uploads causing the problem.
I disabled mod_security on the reverse proxy account and the problem is now solved.

What causes this "Unexpected element" that throws XMLStreamValidationException in JBoss config?

I am trying to migrate some software from JBoss 5 to JBoss 7. I am stuck, as my deployment fails with the below exceptions. Keep in mind that the software is working in JBoss 5, so anything that is not working should be because of differences between JBoss 5/7, I assume.
The line in question (line 12, as pointed to in the exception), is the following:
<application-policy xmlns="urn:jboss:security-beans:1.0" name="MyProjectDatabaseLogin">
The errors/exceptions are:
ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service jboss.deployment.unit."myear.ear".PARSE: org.jboss.msc.service.StartException in service jboss.deployment.unit."myear.ear".PARSE: WFLYSRV0153: Failed to process phase PARSE of deployment "myear.ear"
[stack trace omitted]
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: WFLYPOJO0038: Exception while parsing POJO descriptor file: "/content/myear.ear/META-INF/myproject-auth-jboss-beans.xml"
[stack trace omitted]
Caused by: org.projectodd.vdx.core.XMLStreamValidationException: ParseError at [row,col]:[12,4]
Message: ParseError at [row,col]:[12,4]
Message: WFLYCTL0198: Unexpected element '{urn:jboss:security-beans:1.0}application-policy' encountered
[stack trace omitted]
ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "myear.ear")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"myear.ear\".PARSE" => "WFLYSRV0153: Failed to process phase PARSE of deployment \"myear.ear\"
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: WFLYPOJO0038: Exception while parsing POJO descriptor file: \"/content/myear.ear/META-INF/myproject-auth-jboss-beans.xml\"
Caused by: org.projectodd.vdx.core.XMLStreamValidationException: ParseError at [row,col]:[12,4]
Message: ParseError at [row,col]:[12,4]
Message: WFLYCTL0198: Unexpected element '{urn:jboss:security-beans:1.0}application-policy' encountered"}}
Why is application-policy (or the xmlns value for it) unexpected here? What is causing this exception?
I had to manually type the above xml line and errors/exceptions, so it is possible there could be some typos not actually present in the original which do not contribute to the problem, though I have reread my question here several times and I don't think I typo'd the above.
I eventually figured out that these configurable items are no longer supposed to be in the same file. This information is now supposed to be in the server's configuration file, so you will probably put it into either the domain.xml file or the standalone.xml file.
This is a security application policy, so the contents of this tag now go into the <security-domains> section in a <security-domain> tag.
So it would be like the following. Notice that <application-policy ...> is now <security-domain ...> and it is within <security-domains>. Also, my security application-policy from before had two <login-module> within it, but if the new elytra security system is used, then only 1 <login-module> tag is allowed in the security-domain...
...
<security-domains> <!-- Search for this in the file and put the migrated part into here -->
<security-domain name="MySecurityDomain">
... all the stuff that used to be in the security application policy
... note that some of the stuff you put in here might need to change depending on the security system used
</security-domain>
</security-domains>
...

Apache Axis2 rahas-1.6.2.mar toSAXParseException when Axis2 is deploying rahas

I amy writing an Apache Axis2 client to call some remote web services.
I can get it to work but I also need to deploy the rahas model because the remote server is using security. When I add rahas-1.6.2.mar to my $Axis_Home/repository/module I get the exception below. If I remove it then I do not get the exception.
Does anyone know how to fix this?
2012/11/29 20:45:43:567 GMT [ERROR] XMLConfigurator - Configuration
file does not validate against schema org.xml.sax.SAXParseException: UndeclaredPrefix:
Cannot resolve 'xt:DEFAULT' as a QName: the prefix 'xt' is not
declared. at
com.sun.org.apache.xerces.internal.jaxp.validation.Util.toSAXParseException(Util.java:109)
at
com.sun.org.apache.xerces.internal.jaxp.validation.ErrorHandlerAdaptor.error(ErrorHandlerAdaptor.java:104)
at
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:382)
at
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:316)
at
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(XMLSchemaValidator.java:429)
at
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaError(XMLSchemaValidator.java:3185)
at
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.processOneAttribute(XMLSchemaValidator.java:2799)
at
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.processAttributes(XMLSchemaValidator.java:2735)
at
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(XMLSchemaValidator.java:2094)
at
com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.startElement(XMLSchemaValidator.java:705)
at
com.sun.org.apache.xerces.internal.jaxp.validation.ValidatorHandlerImpl.startElement(ValidatorHandlerImpl.java:335)
at
org.apache.xalan.transformer.TransformerIdentityImpl.startElement(TransformerIdentityImpl.java:1072)
at
org.apache.xml.serializer.TreeWalker.startNode(TreeWalker.java:357)
at org.apache.xml.serializer.TreeWalker.traverse(TreeWalker.java:143)
at
org.apache.xalan.transformer.TransformerIdentityImpl.transform(TransformerIdentityImpl.java:389)
at
com.sun.org.apache.xerces.internal.jaxp.validation.ValidatorImpl.process(ValidatorImpl.java:220)
at
com.sun.org.apache.xerces.internal.jaxp.validation.ValidatorImpl.validate(ValidatorImpl.java:141)
at javax.xml.validation.Validator.validate(Validator.java:82) at
org.opensaml.xml.XMLConfigurator.validateConfiguration(XMLConfigurator.java:373)
at org.opensaml.xml.XMLConfigurator.load(XMLConfigurator.java:162)
at org.opensaml.xml.XMLConfigurator.load(XMLConfigurator.java:142)
at
org.opensaml.DefaultBootstrap.initializeXMLTooling(DefaultBootstrap.java:199)
at
org.apache.rahas.RampartSAMLBootstrap.bootstrap(RampartSAMLBootstrap.java:79)
at org.apache.rahas.Rahas.init(Rahas.java:41) at
org.apache.axis2.context.ConfigurationContextFactory.initModules(ConfigurationContextFactory.java:252)
at
org.apache.axis2.context.ConfigurationContextFactory.init(ConfigurationContextFactory.java:230)
at
org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContext(ConfigurationContextFactory.java:93)
at
org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContextFromFileSystem(ConfigurationContextFactory.java:210)

weblogic, deployments are not reading properties from WEB-INF/classes, configured using Spring

I have a similar problem to: Using external properties files in weblogic and note that the accepted answer there is mainly working for me.
However, I have a follow-up (sorry, cannot work out how to just add comments to re-open the original question)
Does anyone know what the actual cause of this is and the "correct" (if there is such a thing) solution, or do people take copying files to the domain as a common practise in weblogic (10.3.3)
What I am using is:
Spring config has this:
<bean id="messages" class="java.util.ResourceBundle" factory-method="getBundle">
<constructor-arg index="0" value="config/messages"/>
</bean>
the messages bean is then referenced in other beans
The error is
<code>
<11-Apr-2011 11:47:23 o'clock BST> <Error> <Deployer> <BEA-149265> <Failure occurred in the execution of deployment request with ID '1302518829904' for task '4'. Error is: 'weblogic.application.ModuleException: '
weblogic.application.ModuleException:
at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1514)
at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:486)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
Truncated. see log file for complete stacktrace
Caused By: java.util.MissingResourceException: Can't find bundle for base name config/messages, locale en_GB
at java.util.ResourceBundle.throwMissingResourceException(ResourceBundle.java:1521)
at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1260)
at java.util.ResourceBundle.getBundle(ResourceBundle.java:715)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Truncated. see log file for complete stacktrace
</code>
I have tried removing the config/ at the start (and copying the messages.properties to WEB-INF and also WEB-INF/classes, to no avail. Should also point out that all of messages, messages _en_GB and messages _en_US exist
Your path reference doesn't have a 'classpath' in it. Have you tried putting the config directory in the root of the war?