Abstract:

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the

framework's built-in error responses.

Explanation:

ASP .NET applications should be configured to use custom error pages instead of the framework default page. The default error

page gives detailed information about the error that occurred, and should not be used in production environments. The mode

attribute of the <customErrors> tag defines whether custom or default error pages are used.

Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework,

database, or other resources used by the application.

Recommendations:

Always enable custom error pages for production deployment. This can be accomplished by setting the mode attribute to On on

the <customErrors> tag in your application's configuration file and setting the property to point to your custom error page, such

as error.aspx in the example below.

<configuration>

<customErrors mode="On" defaultRedirect="error.aspx"/>

...

</configuration>

Custom error pages can also be configured at a more granular level in the <appSettings> section of the ASP .NET configuration

file. When you customize these settings and implement your custom error pages, be certain they do not leak any of the system

information that you are trying to protect by replacing the framework defaults. Error pages should never display specific

information about the application or any of the resources it uses. In particular, displaying stack traces and other execution

specifics should always be avoided.

ASP.NET Misconfiguration: Missing Error Handling的更多相关文章

  1. Error Handling in ASP.NET Core

    Error Handling in ASP.NET Core 前言  在程序中,经常需要处理比如 404,500 ,502等错误,如果直接返回错误的调用堆栈的具体信息,显然大部分的用户看到是一脸懵逼的 ...

  2. ASP.NET Error Handling

    https://docs.microsoft.com/en-us/aspnet/web-forms/overview/getting-started/getting-started-with-aspn ...

  3. Demystifying ASP.NET MVC 5 Error Pages and Error Logging

    出处:http://dusted.codes/demystifying-aspnet-mvc-5-error-pages-and-error-logging Error pages and error ...

  4. Error Handling

    Use Exceptions Rather Than Return Codes Back in the distant past there were many languages that didn ...

  5. beam 的异常处理 Error Handling Elements in Apache Beam Pipelines

    Error Handling Elements in Apache Beam Pipelines Vallery LanceyFollow Mar 15 I have noticed a defici ...

  6. 19 Error handling and Go go语言错误处理

    Error handling and Go go语言错误处理 12 July 2011 Introduction If you have written any Go code you have pr ...

  7. Erlang error handling

    Erlang error handling Contents Preface try-catch Process link Erlang-way error handling OTP supervis ...

  8. MySQL Error Handling in Stored Procedures 2

    Summary: this tutorial shows you how to use MySQL handler to handle exceptions or errors encountered ...

  9. Appcelerator Titanium Studio: JNI_CreateJavaVM missing error

    Mac升级到Yosemite后,Titanium Studio启动不了,报Appcelerator Studio: JNI_CreateJavaVM missing error 之类的错误,重装了Or ...

随机推荐

  1. U3V第三方软件驱动路径

    NI驱动位置:C:\Program Files (x86)\National Instruments\NI-IMAQdx\Staging\NI USB3 VisionA&B驱动位置:D:\Pr ...

  2. 【学】jQuery的源码思路1——后代选择器

    jQuery的源码思路1--后代选择器 这里探讨一下jQuery中后代选择器的封装原理,并自己写一下 getEle('#div1 ul li .box');接受的参数就是个后代选择器,类似于这样: # ...

  3. C#功能杂集

    使用unsafe代码 Unsafe, fixed, stackalloc 由于C#可以使用元数据,验证函数签名.对象类型,保证执行过程的安全,如果要使用指针,则不能进行验证,用unsafe表示.uns ...

  4. 测试家庭流媒体服务器Windows7

    测试首先选择了Darwin Streaming Server (DSS) for Windows 下载地址:http://dss.macosforge.org/downloads/DarwinStre ...

  5. [DFNews] Cellebrite UFED Logical/Physical Analyzer 3.8.1 维护性更新

    Maintenance Release             Cellebrite has released a maintenance version of UFED Physical / Log ...

  6. Google Developing for Android 一 - 相关上下文介绍

    前几天在G+上看到Google Developers站点,有一个Android系列的文章,分享到个人微博,周末闲来没事就学写了下,把它们简单的翻译了下,没想到一发不可收拾,六篇文章全部都翻译完了,有些 ...

  7. R&S学习笔记(三)

    1.GRE OVER  IPv4 GRE协议栈:IPSEC只支持TCP/IP协议的网络,GRE则支持多协议,不同的网络类型.(如IPX,APPLETALK):通常IPSEC over gre结合使用, ...

  8. mac-文本编辑器

    windows时代最喜欢的文本编辑器一直是ultraedit,但到了mac下,破解的ultraedit退出时会异常,于是琢磨着换编辑器,最终选择了sublime text2,百度下载,不注册也可以用. ...

  9. Ibatis.net总是报:【ExecuteStoreCommand SqlParameterCollection 中已包含 SqlParameter】(转)

    今天很奇怪调用EF的ExecuteStoreCommand 出现了个这样的错误,怎么也调试不过,痛定思痛 原来 command被连着调用了而没有销毁掉   public static DataTabl ...

  10. CRLF和LF

    协作项目,开发环境不同(mac,window)构建过程中,命令行报错(expecting LF but only find CRLF) 打开git bash,输入 $ git config --glo ...