Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In WebSphere Last updated: September 6, 2022
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

As a WebSphere administrator, you might be familiar with the following error page. This error page is generated when hostname/IP doesn’t match in virtual host configuration.

was-virtual-error-page

Have you seen this error?

It exposes the server information and port number which is considered as information leakage security vulnerability.

There are three possible ways to fix this.

Handle custom error through web server – if you are using a web server in front of WebSphere then you can handle 404 error through a web server and show some custom error page.

By showing custom error page you hide the server information and maintain the brand across the application.

Handle error page within application – let developer handle the error page within WebSphere application code and trigger the custom error page whenever 404 return code triggered.

Override the error by WAS configuration – this is the quickest way to mask the server information but has some limitation. This allows you to show the message in text format and doesn’t allow the HTML tag.

If branding is not the concern then you may consider this. Let’s go through the configuration. This configuration is on JVM so if your application is having multiple JVM’s then you got to do in all.

  • Login to WebSphere Administrative Console
  • Go to the Servers >> Server Types >> WebSphere application servers
  • Click the JVM where you want to override the error
  • Expand “Web Container Settings” and click “Web container”
  • Click Custom properties

was-web-container-new

  • Click New and Enter the Name as
com.ibm.ws.webcontainer.webgroupvhostnotfound
  • and Value the error message you want to show. For ex:
“Sorry, requested page not found.”
  • Click OK

was-hide-error

  • Review and save the configuration
  • Restart the JVM

Now, let’s try to access some page which doesn’t exist.

was-error-mask

Much better, isn’t it?

If you are working in PCI DSS compliant or highly transactional environment then mostly you will be asked by security auditing team to mitigate this.

I hope this small configuration help you in hiding WebSphere server information from the error page.

  • Chandan Kumar
    Author
    Chandan Kumar is the founder of Geekflare. He’s helped millions to excel in the digital realm. Passionate about technology, He’s on a mission to explore the world and amplify growth for professionals and businesses.
Thanks to our Sponsors
More great readings on WebSphere
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Monday.com is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder