Security Misconfiguration.
To reduce the danger of hacking:
- Check all server, database and code libraries are patched and up to date.
- Disable unnecessary ports, services, pages, accounts and privileges.
- Change passwords for default accounts, or disable the account.
- Setup error handling to prevent stack traces from displaying. Write the stack trace to a log file, but just display a timestamp to the user.
- Understand and configure the security settings in your code libraries.
To setup error handling in a Java web app, add this to web.xml:
<error-page> <exception-type>java.lang.Throwable</exception-type> <location>/errorPage</location> </error-page>
The action or controller that responds to the /errorPage request should log the exception, then forward to a simple web page that displays a timestamp and a link back to the home page. A simple message like "There has been an error. Please note down the time displayed on this page and call ....." is enough for the user.