Alexis Kestler
As a fellow WebSphere administrator, you‘ve likely encountered that dreaded 404 error page displaying your server and port information for the world to see. I know I‘ve seen it pop up a few too many times!
This information leakage is considered a security vulnerability that could allow attackers insight into your infrastructure. So as stewards of your company‘s applications and data, it‘s our job to lock it down.
In this comprehensive guide, I‘ll walk through several methods to hide those sensitive details from error pages in WebSphere.
The Problem with Default Error Pages
The default WebSphere error page looks something like this:
Notice it displays:
- The hostname/IP address of the server
- The application name
- The exact port number
Armed with this information, a hacker could:
- Fingerprint the application stack being used
- Attempt targeted attacks against known vulnerabilities
- Try a range of ports for unprotected services
- Harvest credentials via phishing sites
According to OWASP, exposing error codes and server details is an information leakage vulnerability.
In fact, the PCI DSS compliance standard explicitly requires masking these details in section 6.5.6.
So if your app handles sensitive data like credit cards or healthcare records, obscuring this information is likely required.
Custom Error Page Options for WebSphere
Now that we know why this is an issue, let‘s discuss solutions. Here are three ways we can customize error pages in WebSphere to hide server details:
1. Handle Errors at the Web Server Level
If you have a web server like Nginx or Apache in front of WebSphere, you can configure it to catch 404 errors first and display a custom page.
For example, in Nginx‘s nginx.conf file:
error_page 404 /404.html;Then just create a branded 404.html page. This is the best option for consistency, since all 404s will show the same polite "page not found" screen.
According to Imperva, over 50% of web traffic goes through Nginx. So if you use it, take advantage!
2. Handle Errors within the App Code
Another option is to have your developers configure a custom error page within the application code itself. They can call this page whenever a 404 status is returned from WebSphere at the Java level.
This allows full control over the design and content of the page. You can match the style of the rest of your app perfectly. But it does require developer time and effort to implement.
3. Override Default via WebSphere Config
Finally, we can override the default right in the WebSphere config as administrators.
You‘ll want to configure the com.ibm.ws.webcontainer.webgroupvhostnotfound property with your custom error text.
For example:
"Sorry, that page doesn‘t exist. Please try again or contact us." To make this change:
- Login to WebSphere Admin Console
- Go to Servers > Server Types > WAS
- Select your JVM
- Expand Web Container Settings > Web container
- Click Custom properties
- Add the property above with your error text
The downside is you can‘t insert HTML here, just plain text. But it‘s a quick fix if branding isn‘t important.
According to GeekFlare, this method can mitigate security audits and is recommended by IBM.
Putting It All Together
To recap, here are your options for hiding sensitive server details from WebSphere error pages:
- Web Server: Simple to maintain, consistent branding
- Application Code: Full customization options
- WebSphere Config: Quick fix, no coding required
So consider your use case – are you handling sensitive financial data? Does consistent branding matter? Do you have developer resources available?
Choose the option that makes the most sense for your needs. Just make sure you aren‘t exposing internal configuration details that could aid attackers.
Stay safe out there fellow admin! Let me know if this guide helps you properly obscure your WebSphere error pages. I‘m always happy to discuss more tips and tricks over a coffee.
