[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248392

 
 

909

 
 

195452

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

ASP.NET Misconfiguration: Missing Custom Error Page

ID: 12Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: DRAFT
Abstraction Type: Variant





Description

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.

Applicable Platforms
Language: .NET

Time Of Introduction

  • Implementation
  • Operation

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
 		Read application data
 		Default error pages gives detailed information about the error that occurred, and should not be used in production environments.
Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
  Handle exceptions appropriately in source code. The best practice is to use a custom error message. Make sure that the mode attribute is set to "RemoteOnly" in the web.config file as shown in the following example.

The mode attribute of the <customErrors> tag in the Web.config file defines whether custom or default error pages are used. It should be configured to use a custom page as follows:

 		  
  Do not attempt to process an error or attempt to mask it.
 		  
  Verify return values are correct and do not supply sensitive information about the system.
 		  
System Configuration
 		 ASP .NET applications should be configured to use custom error pages instead of the framework default page.
 		  

Relationships

Related CWETypeViewChain
CWE-12 ChildOf CWE-895 Category CWE-888  

Demonstrative Examples   (Details)

  1. An insecure ASP.NET application setting: (Demonstrative Example Id DX-75)

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
7 Pernicious Kingdoms  ASP.NET Misconfiguration: Missing Custom Error Handling
 		 

References:

  1. M. Howard D. LeBlanc J. Viega .19 Deadly Sins of Software Security. McGraw-Hill/Osborne. Published on 2005.
  2. OWASP, Fortify Software .ASP.NET Misconfiguration: Missing Custom Error Handling.

© SecPod Technologies