Stack Trace Disclosure (ASP.NET)
Severity: Low
Summary #
Netsparker identified a stack trace disclosure (ASP.NET) in the target web server's HTTP response.
Impact #
An attacker can obtain information such as:
- ASP.NET version.
- Physical file path of temporary ASP.NET files.
- Information about the generated exception and possibly source code, SQL queries, etc.
Remediation #
Apply following changes on your
web.config file to prevent information leakage by applying custom error pages. <System.Web>
<customErrors mode="On" defaultRedirect="~/error/GeneralError.aspx">
<error statusCode="403" redirect="~/error/Forbidden.aspx" />
<error statusCode="404" redirect="~/error/PageNotFound.aspx" />
<error statusCode="500" redirect="~/error/InternalError.aspx" />
</customErrors>
</System.Web>
Classifications #
PCI v3.1-6.5.5; PCI v3.2-6.5.5; CAPEC-214; CWE-248; HIPAA-164.306(a), 164.308(a); ISO27001-A.9.2.3; WASC-14; OWASP 2013-A5; OWASP 2017-A6
Netsparker Security Insights #
- What is server-side request forgery (SSRF) and how can you prevent it?
- What the OWASP Top 10 2021 categories mean for OWASP compliance
- The new OWASP Top 10 is not what you think
- Netsparker Supports the OWASP Lightning Event “How to Turn your Cybersecurity Hobby into a Career – An Introduction to Bug Bounties”
- Predicting the Most Common Security Vulnerabilities for Web Applications in 2021
Helpful Use Cases #
Vulnerability Index
You can search and find all vulnerabilities
Select Category
OR
Search Vulnerability
