Summary #

Invicti detected that the custom errors in the ASP.NET application are disabled.

Impact #

ASP.NET application’s error messages or warnings might expose sensitive information that an attacker might use to gain important information about the inner workings of your application.

Actions To Take #

To enable custom error messages, please edit web.config and change custom messages parameter:




    <customErrors mode="Off"/>






    <customErrors defaultRedirect="YourErrorPage.aspx"


      <error statusCode="500"





Please keep in mind different customError values

  • On – Specifies that custom errors are enabled. If defaultRedirect is not specified, users see a generic error page
  • Off – Specifies that custom errors are disabled. This displays detailed errors.
  • RemoteOnly – Specifies that custom errors are shown only to remote clients, and detailed ASP.NET errors are shown to the local users.This is the default.
Classifications #
CWE-16; OWASP 2013-A6; OWASP 2017-A3
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities


Search Vulnerability


Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo