Reputation: 497
Appscan detected hidden directory for hostname/manager
Appscan called api with url https://10.106.215.110/manager in my application which says 403 access denied. Now I want to change this message to 404.
Can anyone guide me. Thanks in advance.
PS I have two application running in this hostname. I am using tomcat as server and I dont want to change anything in tomcat.
Upvotes: 0
Views: 1230
Answers (2)
Reputation: 81
The hidden directory enumeration issue exists when the server responds with a '403 Forbidden' error while trying to access a valid application directory. Hidden directories were detected by viewing the '403 Forbidden' response from the server. An attacker will try to access multiple directories within the application by guessing their names or launching a brute force attack. The server will typically respond with a '404 Not Found' error if a directory does not exist, however if a valid directory exists, the server responds with '403 Forbidden' error. The attacker can use this difference in the response to enumerate the application directories and file structure. The presence of hidden directories allows an attacker to gather information regarding the file and directory structure of the application by viewing the '403 Forbidden' server response. An attacker can list the server directories by studying the different error responses that are thrown by the application server.
The Solution for this is making custom error pages with the help of web.config file.
At this moment developer can handle how users are shown a better error page by configuring in web.config page. There are couple of attributes we need to set. Please check below link for more details.
https://www.c-sharpcorner.com/UploadFile/092589/custom-error-page-in-Asp-Net/
Thanks
Upvotes: 0
Reputation: 809
Changing status code can be done in the code itself if you don't want to change anything in tomcat.
public void sendError(int code, String message) The sendError method sends a status code (usually 404) along with a short message that is automatically formatted inside an HTML document and sent to the client.
Please refer the following link if it is a Java code: http://www.informit.com/articles/article.aspx?p=29817&seqNum=7
There is way in php as well.
int http_response_code ([ int $response_code ] )
You can find more about this method in the php documentation manual.
Upvotes: 1
Related Questions
- Apache Tomcat 9 unable to access manager webapp
- tomcat7 host manager does not add new domain as a host- "Failed to create AppBase"
- tomcat 7 manager app access denied
- Why I can't deploy on Tomcat? Could not publish server configuration for Tomcat v7.0 Server at localhost. Multiple Contexts have a path of "/ROOT"?
- Tomcat cannot find my webapp
- Tomcat 9 does not find deployed webapp
- Can't access Tomcat 6 Manager app
- Cannot invoke Tomcat manager: FAIL - Deployed application at context path but context failed to start
- error while deploy app with tomcat
- Tomcat - Error deploying web app