Web.xml security misconfigurations

checkErrorPages: Ensures default error pages are configured to prevent exposure of sensitive server information through default error messages.

Example Without Error Page Configuration:
[source, xml]
----
<!-- Misconfiguration leading to default server error messages -->
----

Proper Error Page Configuration:
[source, xml]
----
<error-page>
    <error-code>404</error-code>
    <location>/error/404.html</location>
</error-page>
----

checkHttpOnly: Ensures the session cookie Http Only flag is set to prevent client-side scripts from accessing the session ID.

Correct Configuration:
[source, xml]
----
<cookie-config>
    <http-only>true</http-only>
</cookie-config>
----

checkNoHttpMethodInSecurityConstraints: Ensures security constraints are not defined for specific HTTP methods to prevent bypass.

checkSecureSession: Ensures the session ID is marked as secure to protect session data during transmission over HTTPS.

Secure Session Configuration:
[source, xml]
----
<cookie-config>
    <secure>true</secure>
</cookie-config>
----

checkSessionTimeout and checkSessionTimeoutExists: Ensures the session timeout is properly configured and exists to prevent sessions from remaining active indefinitely.

Proper Session Timeout Configuration:
[source, xml]
----
<session-config>
    <session-timeout>30</session-timeout> <!-- 30 minutes -->
</session-config>
----

checkSessionIdInCookieOnly: Ensures the session ID is sent only in cookies, reducing session fixation and hijacking chances.

checkSSLForProtectedAreas: Ensures SSL is enforced for protected areas, requiring encrypted data transmission.

Protecting Sensitive Areas with SSL:
[source, xml]
----
<security-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
----

checkErrorPages, enables the check that ensures that the default error pages were configured.

checkHttpOnly, enables the check that ensures that the session cookie Http Only flag will be set.

checkNoHttpMethodInSecurityConstraints, enables the check that ensures that the security constraints should not specify http methods.

checkSecureSession, enables the check that ensures that the session ID is configured as secure.

checkSessionTimeout, enables the check that ensures that the session timeout is properly configured.

checkSessionTimeoutExists, enables the check that ensures that the timeout element exists.

checkSessionIdInCookieOnly, enables the check that ensures that session ID is configured to be sent only in cookies.

checkSSLForProtectedAreas, enables the check that ensures that SSL must be set for protected areas.

https://cwe.mitre.org/data/definitions/5.html

https://cwe.mitre.org/data/definitions/7.html

https://cwe.mitre.org/data/definitions/384.html

https://cwe.mitre.org/data/definitions/613.html

https://cwe.mitre.org/data/definitions/614.html

https://cwe.mitre.org/data/definitions/1004.html

http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files

https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information