Hi,
During a recent penetration testing it was found that our application is revealing informative application error messages.
When I cross checked all the APIs we have implemented we have custom HTTP responses defined for all web API if the HTTP status code from the API response is 500.
The Security analysis report describes the problem as following -
When sending a POST request to => /suite/rest/a/logging/latest/csp/report with malformed input parameter, the server response included debug information. This can enable an attack to refine their attack strategies.
As per the standard remedial for this kind of issues I have created few custom error html pages for 404, 500 for e.g. and edited the httpd.conf file in the apache web server to point to these custom htmls...something like this ....
ErrorDocument 500 /errors/500.html
ErrorDocument 404 /errors/404.html
But this doesn't seem to work and Appian is still giving the same response as earlier. I have even tried the edit the web.xml to map the error htmls for 404 & 500 errors. That too didn't help. Please suggest.
Discussion posts and replies are publicly visible
When running the pen test, are you using an authenticated user? or are running the test without being autheticated?
IN the second case, I think that Appian will always return the same mesage (and it doesn't matter id the resource exists or not), so the attacker won't receive any valid information
I would assume that API calls are not evaluated by Apache.
In the Appian web API object, you can control the returned messages.
I would suggest you contact Appian Support for this type of request.