CWE-16
OWASP 2013-A6
OWASP 2017-A3

ASP.NET CustomErrors Is Disabled

Severity:
Medium
Summary

Invicti detected that the custom errors in the ASP.NET application are disabled.

Impact

ASP.NET application’s error messages or warnings might expose sensitive information that an attacker might use to gain important information about the inner workings of your application.

Remediation
Required Skills for Successful Exploitation
Actions To Take

To enable custom error messages, please edit web.config and change custom messages parameter:


From:

<configuration>

<system.web>

<customErrors mode="Off"/>

</system.web>

</configuration>

To:

<configuration>

<system.web>

<customErrors defaultRedirect="YourErrorPage.aspx"

mode="RemoteOnly">

<error statusCode="500"

redirect="InternalErrorPage.aspx"/>

</customErrors>

</system.web>

</configuration>

Please keep in mind different customError values

  • On – Specifies that custom errors are enabled. If defaultRedirect is not specified, users see a generic error page
  • Off – Specifies that custom errors are disabled. This displays detailed errors.
  • RemoteOnly – Specifies that custom errors are shown only to remote clients, and detailed ASP.NET errors are shown to the local users.This is the default.
Classifications

Featured resources

Blog

Strengthening enterprise application security: Invicti acquires Kondukto

Blog

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Blog

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Blog

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Blog

What lies ahead for CMS.

Blog

How to integrate CMS with other tools.

Blog

Improve user experience through CMS.

Blog

How CMS can benefit e-commerce.

Blog

Stay updated on CMS trends.

Blog

Tips for improving CMS performance.

Blog

Learn how to secure your CMS.

Blog

Explore the advantages of CMS.

Blog

A comprehensive guide to CMS.

Build your resistance to threats. And save hundreds of hours each month.