ASP.NET CustomErrors Is Disabled
Severity:
Medium
Summary
Invicti detected that the custom errors in the ASP.NET application are disabled.
Impact
ASP.NET application’s error messages or warnings might expose sensitive information that an attacker might use to gain important information about the inner workings of your application.
Remediation
Required Skills for Successful Exploitation
Actions To Take
To enable custom error messages, please edit web.config and change custom messages parameter:
From:
<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>
To:
<configuration>
<system.web>
<customErrors defaultRedirect="YourErrorPage.aspx"
mode="RemoteOnly">
<error statusCode="500"
redirect="InternalErrorPage.aspx"/>
</customErrors>
</system.web>
</configuration>
Please keep in mind different customError values
- On – Specifies that custom errors are enabled. If
defaultRedirectis not specified, users see a generic error page - Off – Specifies that custom errors are disabled. This displays detailed errors.
- RemoteOnly – Specifies that custom errors are shown only to remote clients, and detailed ASP.NET errors are shown to the local users.This is the default.
Classifications
Vulnerability Index
You can search and find all vulnerabilities
Select Category
Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Featured resources
Build your resistance to threats. And save hundreds of hours each month.
