Abstract:

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the

framework's built-in error responses.

Explanation:

ASP .NET applications should be configured to use custom error pages instead of the framework default page. The default error

page gives detailed information about the error that occurred, and should not be used in production environments. The mode

attribute of the <customErrors> tag defines whether custom or default error pages are used.

Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework,

database, or other resources used by the application.

Recommendations:

Always enable custom error pages for production deployment. This can be accomplished by setting the mode attribute to On on

the <customErrors> tag in your application's configuration file and setting the property to point to your custom error page, such

as error.aspx in the example below.

<configuration>

<customErrors mode="On" defaultRedirect="error.aspx"/>

...

</configuration>

Custom error pages can also be configured at a more granular level in the <appSettings> section of the ASP .NET configuration

file. When you customize these settings and implement your custom error pages, be certain they do not leak any of the system

information that you are trying to protect by replacing the framework defaults. Error pages should never display specific

information about the application or any of the resources it uses. In particular, displaying stack traces and other execution

specifics should always be avoided.

ASP.NET Misconfiguration: Missing Error Handling的更多相关文章

  1. Error Handling in ASP.NET Core

    Error Handling in ASP.NET Core 前言  在程序中,经常需要处理比如 404,500 ,502等错误,如果直接返回错误的调用堆栈的具体信息,显然大部分的用户看到是一脸懵逼的 ...

  2. ASP.NET Error Handling

    https://docs.microsoft.com/en-us/aspnet/web-forms/overview/getting-started/getting-started-with-aspn ...

  3. Demystifying ASP.NET MVC 5 Error Pages and Error Logging

    出处:http://dusted.codes/demystifying-aspnet-mvc-5-error-pages-and-error-logging Error pages and error ...

  4. Error Handling

    Use Exceptions Rather Than Return Codes Back in the distant past there were many languages that didn ...

  5. beam 的异常处理 Error Handling Elements in Apache Beam Pipelines

    Error Handling Elements in Apache Beam Pipelines Vallery LanceyFollow Mar 15 I have noticed a defici ...

  6. 19 Error handling and Go go语言错误处理

    Error handling and Go go语言错误处理 12 July 2011 Introduction If you have written any Go code you have pr ...

  7. Erlang error handling

    Erlang error handling Contents Preface try-catch Process link Erlang-way error handling OTP supervis ...

  8. MySQL Error Handling in Stored Procedures 2

    Summary: this tutorial shows you how to use MySQL handler to handle exceptions or errors encountered ...

  9. Appcelerator Titanium Studio: JNI_CreateJavaVM missing error

    Mac升级到Yosemite后,Titanium Studio启动不了,报Appcelerator Studio: JNI_CreateJavaVM missing error 之类的错误,重装了Or ...

随机推荐

  1. 一个奇葩的SQL

    需求 建表脚本 CREATE TABLE [dbo].[A]( ) NOT NULL, ) NULL ) ON [PRIMARY] GO CREATE TABLE [dbo].[B]( ) NOT N ...

  2. webstorm(注册,激活,破解,码,一起支持正版,最新可用)(2016.9.2更新)

    webstorm(注册,激活,破解,码,一起支持正版,最新可用)(2016.9.2更新)   来源于:http://blog.csdn.net/xx1710/article/details/51725 ...

  3. 键盘键与虚拟键码对照表+delphi虚拟键码对应关键

    键盘键与虚拟键码对照表 字母和数字键 数字小键盘的键 功能键 其它键 键 键码 键 键码 键 键码 键 键码 A 65 0 96 F1 112 Backspace 8 B 66 1 97 F2 113 ...

  4. JVM体系结构与工作方式

    JVM全程是java virtual machine(java虚拟机). 以计算为中心来看计算机的体系结构可以分为以下几个部分: 1.指令集:这个计算机所能识别的机器语言的命令集合; 2.计算单元:能 ...

  5. 使用Spring+Junit4.4进行测试(使用注解)

    http://nottiansyf.iteye.com/blog/345819 使用Junit4.4测试 在类上的配置Annotation @RunWith(SpringJUnit4ClassRunn ...

  6. 118、通过solid来定义不同边框的颜色,可以只定义一个边框的颜色

    以下是设置按钮的右边框和底边框颜色为红色,边框大小为3dp,如下图: 在drawable新建一个 buttonstyle.xml的文件,内容如下: <?xml version="1.0 ...

  7. sql优化方法

    1. SELECT子句中避免使用 “*” 当你想在SELECT子句中列出所有的COLUMN时,使用动态SQL列引用‘*’是一个方便的方法.不幸的是,这是一个非常低效的方法. 实际上,ORACLE在解析 ...

  8. CuteSTL——跟着感觉造轮子

    置顶推荐: CuteSTL:https://github.com/jxd134/algorithm/tree/master/CuteSTL TinySTL:https://github.com/zou ...

  9. rpm命令

    RPM 安装.卸载.升级.查询和验证. RPM 安装 命令: rpm -i 文件名 如: rpm -i example.rpm 安装 example.rpm 包: rpm -iv example.rp ...

  10. Doxygen给C程序生成注释文档

    近段时间,一直在学习华为C语言编程规范(2011版),在“注释”这一章中发现了一种“Doxygen”的注释转文档工具,查看诸多相关资料,并进行编程实践,终于可以利用Doxygen给C程序生成注释文档. ...