Disable the default stacktrace error response in Jetty

Question

We received a PenTest finding stating that the stack trace given from the 400 "Unable to Parse" Jetty error (below) gives the attacker too much information and we should disable that part of the error response.

I'm reading through the documentation on error handling but I'm pretty new to both eclipse and jetty. It's unclear to me what I should do.

For example I think where I make the change depends on whether or not we're using WebAppContext, but I don't know how to find out if we are using that or not.

All I've managed to do is find our web.xml file inside WEB_INF/web.xml

Here's the error response: the stack trace continues much further but I shortened here for brevity sake.

HTTP ERROR 400 Unable to parse URI query
URI:    
STATUS: 400
MESSAGE:    Unable to parse URI query
SERVLET:    Portal
CAUSED BY:  org.eclipse.jetty.http.BadMessageException: 400: Unable to parse URI query
CAUSED BY:  org.eclipse.jetty.util.Utf8Appendable$NotUtf8Exception: Not valid UTF8! byte Bf in state 0
Caused by:

org.eclipse.jetty.http.BadMessageException: 400: Unable to parse URI query
    at org.eclipse.jetty.server.Request.getParameters(Request.java:449)
    at org.eclipse.jetty.server.Request.getParameter(Request.java:1059)
    at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:194)
    at com.gce2000.common.servlet.CrossScriptingFilter$XSSRequestWrapper.getParameter(CrossScriptingFilter.java:94)

Answer 1

In your WEB-INF/web.xml just specify an HTML (or Servlet, or JSP) that can handle your error.

<web-app>
  <error-page>
    <!-- Bad Request -->
    <error-code>400</error-code>
    <location>/error-bad-request.html</location>
  </error-page>
</web-app>

You can declare error-page's for status codes and Exceptions.

You might want to also declare the global one (make sure your WEB-INF/web.xml is using Servlet 3.0 or better)

<web-app>
  <error-page>
    <location>/error-general.html</location>
  </error-page>
</web-app>