Detail

ASP.NET CustomErrors Is Disabled

Severity: Medium

Summary #

Invicti detected that the custom errors in the ASP.NET application are disabled.

Impact #

ASP.NET application’s error messages or warnings might expose sensitive information that an attacker might use to gain important information about the inner workings of your application.

Actions To Take #

To enable custom error messages, please edit web.config and change custom messages parameter:


From:

<configuration>

  <system.web>

    <customErrors mode="Off"/>

  </system.web>

</configuration>

To:

<configuration>

  <system.web>

    <customErrors defaultRedirect="YourErrorPage.aspx"

                  mode="RemoteOnly">

      <error statusCode="500"

             redirect="InternalErrorPage.aspx"/>

    </customErrors>

  </system.web>

</configuration>

Please keep in mind different customError values

  • On – Specifies that custom errors are enabled. If defaultRedirect is not specified, users see a generic error page
  • Off – Specifies that custom errors are disabled. This displays detailed errors.
  • RemoteOnly – Specifies that custom errors are shown only to remote clients, and detailed ASP.NET errors are shown to the local users.This is the default.
Classifications #
CWE-16; OWASP 2013-A6; OWASP 2017-A3
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

Select Category

OR

Search Vulnerability

Related Vulnerabilities

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo

Invicti Security Corp
220 Industrial Blvd Ste 102
Austin, TX 78745

© Invicti 2022

RESOURCES

USE CASES

WEB SECURITY

COMPANY

© Invicti 2022

SSA Privacy Policy California Privacy Rights Terms of Use Accessibility Sitemap
By using this website you agree with our use of cookies to improve its performance and enhance your experience. More information in our Privacy Policy.
OK