ASP.NET Misconfiguration: Missing Error Handling
Abstract:
An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the
framework's built-in error responses.
Explanation:
ASP .NET applications should be configured to use custom error pages instead of the framework default page. The default error
page gives detailed information about the error that occurred, and should not be used in production environments. The mode
attribute of the <customErrors> tag defines whether custom or default error pages are used.
Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework,
database, or other resources used by the application.
Recommendations:
Always enable custom error pages for production deployment. This can be accomplished by setting the mode attribute to On on
the <customErrors> tag in your application's configuration file and setting the property to point to your custom error page, such
as error.aspx in the example below.
<configuration>
<customErrors mode="On" defaultRedirect="error.aspx"/>
...
</configuration>
Custom error pages can also be configured at a more granular level in the <appSettings> section of the ASP .NET configuration
file. When you customize these settings and implement your custom error pages, be certain they do not leak any of the system
information that you are trying to protect by replacing the framework defaults. Error pages should never display specific
information about the application or any of the resources it uses. In particular, displaying stack traces and other execution
specifics should always be avoided.
ASP.NET Misconfiguration: Missing Error Handling的更多相关文章
- Error Handling in ASP.NET Core
Error Handling in ASP.NET Core 前言 在程序中,经常需要处理比如 404,500 ,502等错误,如果直接返回错误的调用堆栈的具体信息,显然大部分的用户看到是一脸懵逼的 ...
- ASP.NET Error Handling
https://docs.microsoft.com/en-us/aspnet/web-forms/overview/getting-started/getting-started-with-aspn ...
- Demystifying ASP.NET MVC 5 Error Pages and Error Logging
出处:http://dusted.codes/demystifying-aspnet-mvc-5-error-pages-and-error-logging Error pages and error ...
- Error Handling
Use Exceptions Rather Than Return Codes Back in the distant past there were many languages that didn ...
- beam 的异常处理 Error Handling Elements in Apache Beam Pipelines
Error Handling Elements in Apache Beam Pipelines Vallery LanceyFollow Mar 15 I have noticed a defici ...
- 19 Error handling and Go go语言错误处理
Error handling and Go go语言错误处理 12 July 2011 Introduction If you have written any Go code you have pr ...
- Erlang error handling
Erlang error handling Contents Preface try-catch Process link Erlang-way error handling OTP supervis ...
- MySQL Error Handling in Stored Procedures 2
Summary: this tutorial shows you how to use MySQL handler to handle exceptions or errors encountered ...
- Appcelerator Titanium Studio: JNI_CreateJavaVM missing error
Mac升级到Yosemite后,Titanium Studio启动不了,报Appcelerator Studio: JNI_CreateJavaVM missing error 之类的错误,重装了Or ...
随机推荐
- U3V第三方软件驱动路径
NI驱动位置:C:\Program Files (x86)\National Instruments\NI-IMAQdx\Staging\NI USB3 VisionA&B驱动位置:D:\Pr ...
- 【学】jQuery的源码思路1——后代选择器
jQuery的源码思路1--后代选择器 这里探讨一下jQuery中后代选择器的封装原理,并自己写一下 getEle('#div1 ul li .box');接受的参数就是个后代选择器,类似于这样: # ...
- C#功能杂集
使用unsafe代码 Unsafe, fixed, stackalloc 由于C#可以使用元数据,验证函数签名.对象类型,保证执行过程的安全,如果要使用指针,则不能进行验证,用unsafe表示.uns ...
- 测试家庭流媒体服务器Windows7
测试首先选择了Darwin Streaming Server (DSS) for Windows 下载地址:http://dss.macosforge.org/downloads/DarwinStre ...
- [DFNews] Cellebrite UFED Logical/Physical Analyzer 3.8.1 维护性更新
Maintenance Release Cellebrite has released a maintenance version of UFED Physical / Log ...
- Google Developing for Android 一 - 相关上下文介绍
前几天在G+上看到Google Developers站点,有一个Android系列的文章,分享到个人微博,周末闲来没事就学写了下,把它们简单的翻译了下,没想到一发不可收拾,六篇文章全部都翻译完了,有些 ...
- R&S学习笔记(三)
1.GRE OVER IPv4 GRE协议栈:IPSEC只支持TCP/IP协议的网络,GRE则支持多协议,不同的网络类型.(如IPX,APPLETALK):通常IPSEC over gre结合使用, ...
- mac-文本编辑器
windows时代最喜欢的文本编辑器一直是ultraedit,但到了mac下,破解的ultraedit退出时会异常,于是琢磨着换编辑器,最终选择了sublime text2,百度下载,不注册也可以用. ...
- Ibatis.net总是报:【ExecuteStoreCommand SqlParameterCollection 中已包含 SqlParameter】(转)
今天很奇怪调用EF的ExecuteStoreCommand 出现了个这样的错误,怎么也调试不过,痛定思痛 原来 command被连着调用了而没有销毁掉 public static DataTabl ...
- CRLF和LF
协作项目,开发环境不同(mac,window)构建过程中,命令行报错(expecting LF but only find CRLF) 打开git bash,输入 $ git config --glo ...