Summary #

Netsparker detected that the custom errors in the ASP.NET application are disabled.

Impact #

ASP.NET application’s error messages or warnings might expose sensitive information that an attacker might use to gain important information about the inner workings of your application.

Actions To Take #

To enable custom error messages, please edit web.config and change custom messages parameter:


From:

<configuration>

  <system.web>

    <customErrors mode="Off"/>

  </system.web>

</configuration>

To:

<configuration>

  <system.web>

    <customErrors defaultRedirect="YourErrorPage.aspx"

                  mode="RemoteOnly">

      <error statusCode="500"

             redirect="InternalErrorPage.aspx"/>

    </customErrors>

  </system.web>

</configuration>

Please keep in mind different customError values

  • On – Specifies that custom errors are enabled. If defaultRedirect is not specified, users see a generic error page
  • Off – Specifies that custom errors are disabled. This displays detailed errors.
  • RemoteOnly – Specifies that custom errors are shown only to remote clients, and detailed ASP.NET errors are shown to the local users.This is the default.
Classifications #
CWE-16; OWASP 2013-A6; OWASP 2017-A3
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo