Get a demo
AppSec with Zero Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo

ASP.NET CustomErrors Is Disabled

Severity: Medium
Summary#

Invicti detected that the custom errors in the ASP.NET application are disabled.

Impact#

ASP.NET application’s error messages or warnings might expose sensitive information that an attacker might use to gain important information about the inner workings of your application.

Actions To Take#

To enable custom error messages, please edit web.config and change custom messages parameter:


From:

<configuration>

  <system.web>

    <customErrors mode="Off"/>

  </system.web>

</configuration>

To:

<configuration>

  <system.web>

    <customErrors defaultRedirect="YourErrorPage.aspx"

                  mode="RemoteOnly">

      <error statusCode="500"

             redirect="InternalErrorPage.aspx"/>

    </customErrors>

  </system.web>

</configuration>

Please keep in mind different customError values

  • On – Specifies that custom errors are enabled. If defaultRedirect is not specified, users see a generic error page
  • Off – Specifies that custom errors are disabled. This displays detailed errors.
  • RemoteOnly – Specifies that custom errors are shown only to remote clients, and detailed ASP.NET errors are shown to the local users.This is the default.
Classifications#
, ,

Select Category

OR

Search Vulnerability

Related Vulnerabilities

Related Articles

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works