Severity: Medium
Invicti detected that the custom errors in the ASP.NET application are disabled.
ASP.NET application’s error messages or warnings might expose sensitive information that an attacker might use to gain important information about the inner workings of your application.
To enable custom error messages, please edit web.config and change custom messages parameter:
From:
<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>
To:
<configuration>
<system.web>
<customErrors defaultRedirect="YourErrorPage.aspx"
mode="RemoteOnly">
<error statusCode="500"
redirect="InternalErrorPage.aspx"/>
</customErrors>
</system.web>
</configuration>
Please keep in mind different customError values
defaultRedirect
is not specified, users see a generic error page