ASP.NET path disclosure
Description
ASP.NET applications may expose detailed error messages that reveal the physical file system path of the web application, framework version information, and other internal configuration details. This information disclosure typically occurs when custom error pages are disabled or improperly configured, causing the default ASP.NET error handler to display verbose diagnostic information to end users.
Remediation
Configure custom error pages to prevent detailed error information from being displayed to end users:
1. Enable custom errors in Web.config:
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="~/Error.aspx">
<error statusCode="404" redirect="~/NotFound.aspx" />
<error statusCode="500" redirect="~/Error.aspx" />
</customErrors>
</system.web>
</configuration>2. For ASP.NET Core applications, configure exception handling:
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
app.UseHsts();
}
}3. Additional steps:
- Review and test all error pages identified in the scan results
- Implement centralized error logging to capture detailed errors server-side without exposing them to users
- Set
debug="false"in the compilation element of Web.config for production environments - Ensure generic error messages are displayed to users while logging full details securely