ASP.NET Misconfiguration: Missing Custom Error PageID: 12 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Variant |
Description
An ASP .NET application must enable custom error pages in order
to prevent attackers from mining information from the framework's built-in
responses.
Applicable PlatformsLanguage: .NET
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
Confidentiality | Read application
data | Default error pages gives detailed information about the error that
occurred, and should not be used in production environments.Attackers can leverage the additional information provided by a
default error page to mount attacks targeted on the framework, database,
or other resources used by the application. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
| | Handle exceptions appropriately in source code. The best practice is
to use a custom error message. Make sure that the mode attribute is set
to "RemoteOnly" in the web.config file as shown in the following
example.The mode attribute of the <customErrors> tag in the Web.config
file defines whether custom or default error pages are used. It should
be configured to use a custom page as follows: | | |
| | Do not attempt to process an error or attempt to mask it. | | |
| | Verify return values are correct and do not supply sensitive
information about the system. | | |
System Configuration | | ASP .NET applications should be configured to use custom error pages
instead of the framework default page. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-12 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative Examples (Details)
- An insecure ASP.NET application setting: (Demonstrative Example Id DX-75)
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
7 Pernicious Kingdoms | | ASP.NET Misconfiguration: Missing Custom Error
Handling | |
References:
- M. Howard D. LeBlanc J. Viega .19 Deadly Sins of Software Security. McGraw-Hill/Osborne. Published on 2005.
- OWASP, Fortify Software .ASP.NET Misconfiguration: Missing Custom Error
Handling.