Stack Trace Disclosure (ASP.NET)
Description
The application exposes detailed ASP.NET stack traces to users when errors occur. Stack traces contain sensitive technical information including physical file paths, code snippets, framework version details, database connection information, and internal application structure. This information disclosure occurs when custom error handling is not properly configured, allowing default ASP.NET error pages to be displayed to end users.
Remediation
Configure custom error pages in ASP.NET to prevent stack trace disclosure to end users while maintaining detailed logging for developers. Implement the following changes:
1. Update web.config to enable custom error pages:
<configuration>
<system.web>
<!-- Set mode to "On" for production, "RemoteOnly" for staging -->
<customErrors mode="On" defaultRedirect="~/error/GeneralError.aspx">
<error statusCode="403" redirect="~/error/Forbidden.aspx" />
<error statusCode="404" redirect="~/error/PageNotFound.aspx" />
<error statusCode="500" redirect="~/error/InternalError.aspx" />
</customErrors>
</system.web>
</configuration>2. Implement proper exception handling in your code:try
{
// Application code
}
catch (Exception ex)
{
// Log detailed error information securely
Logger.LogError(ex);
// Display generic error message to user
Response.Redirect("~/error/GeneralError.aspx");
}3. Create user-friendly custom error pages that provide helpful information without exposing technical details.4. Ensure detailed errors are logged server-side for debugging purposes while keeping them hidden from end users.