What I already did inside my application's and tomcat's web.xml:
I'm using Tomcat 8.5.63, and the goal is to remove the "Apache Tomcat/8.5.63" part on the default server response page whenever a 501 error appears.
The way I'm testing this is that I intercept a request using a pentest tool (I'm using burp suite community)
and modify a request to include a header (yes I know that header is invalid).
Any ideas on how to implement a custom page so that the 501 can be handled properly?
I actually had to look at Tomcat source code about this, since I had some suspicions, and I think my suspicions are correct.
In certain cases, Tomcat itself generates and returns HTTP response code 501. I don't have a full list, but it looks like certain overload situations can trigger it, but also sending a request type other than the official "GET", "POST", "HEAD", "OPTIONS", ... will return a 501 (which is literally "request not implemented").
In such cases, you cannot modify the error page, because there is no error page. Tomcat sends back a response without a body and the actual "web page" displayed is generated by the client and thus depends on the client.
If having Tomcat yak out server details that you don't wish to be known is a problem, that wouldn't be unique to 501 responses, though. That sort of info comes back with every Tomcat response so you'd have to filter the header generation process.
Loudly announcing something is true and finding out you're wrong makes you feel foolish.
Finding out you're wrong and refusing to admit it makes you LOOK foolish.
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop