Checklist Item Template Example

Generic Error Pages with Harmless Messages are Returned to the Client

Applies to

  • ASP.NET 1.1

What to Check For

Check to ensure that error messages to the client don't result in disclosure of sensitive application details such as:
  • Code structure
  • Database structure
  • Connection strings
  • Credentials

Why

Disclosing application details may give an attacker just the information he needs to succeed in exploiting a vulnerability in your application.

How to Check

Check to ensure that the mode attribute of the <customErrors> element to On, so that all callers receive filtered exception information.

Check to ensure that the <customErrors> section of the Web.config file has been set to specify a default error page to display.

How to Fix

To return a generic error page, configure the <customErrors> element as follows:

<customErrors mode="On" defaultRedirect="YourErrorPage.htm" />

The error page should include a suitably generic error message, possibly with additional support details. The name of the page that generated the error is passed to the error page through the aspxerrorpath query parameter.

You can also use multiple error pages for different types of errors. For example:

<customErrors mode="On" defaultRedirect="YourErrorPage.htm">
<error statusCode="404" redirect="YourNotFoundPage.htm"/>
<error statusCode="500" redirect="YourInternalErrorPage.htm"/>
</customErrors>

For individual pages you can supply an error page using the following page-level attribute:

<% @ Page ErrorPage="YourErrorPage" %>

Problem Example

An ASP.NET application has code to connect to a SQL database. However, the application does not have a generic error page specified. As a result, when the connection times out application details are revealed to the client in the exception.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified)

Source Error:
Line 216:
Line 217: if (conn.State != ConnectionState.Open)
Line 218: conn.Open();
Line 219:
Line 220: cmd.Connection = conn;

Solution Example

An ASP.NET application has code to connect to a SQL database. Since it has set the mode attribute of the <customErrors> element to On only generic error information is displayed when the SQL connection times out.

Additional Resources

Related Items

  • Guideline: Return Generic Error Messages to Client

Last edited Apr 1, 2007 at 12:19 AM by mycodeplexuser, version 2

Comments

No comments yet.