Abstract:

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the

framework's built-in error responses.

Explanation:

ASP .NET applications should be configured to use custom error pages instead of the framework default page. The default error

page gives detailed information about the error that occurred, and should not be used in production environments. The mode

attribute of the <customErrors> tag defines whether custom or default error pages are used.

Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework,

database, or other resources used by the application.

Recommendations:

Always enable custom error pages for production deployment. This can be accomplished by setting the mode attribute to On on

the <customErrors> tag in your application's configuration file and setting the property to point to your custom error page, such

as error.aspx in the example below.

<configuration>

<customErrors mode="On" defaultRedirect="error.aspx"/>

...

</configuration>

Custom error pages can also be configured at a more granular level in the <appSettings> section of the ASP .NET configuration

file. When you customize these settings and implement your custom error pages, be certain they do not leak any of the system

information that you are trying to protect by replacing the framework defaults. Error pages should never display specific

information about the application or any of the resources it uses. In particular, displaying stack traces and other execution

specifics should always be avoided.

ASP.NET Misconfiguration: Missing Error Handling的更多相关文章

  1. Error Handling in ASP.NET Core

    Error Handling in ASP.NET Core 前言  在程序中,经常需要处理比如 404,500 ,502等错误,如果直接返回错误的调用堆栈的具体信息,显然大部分的用户看到是一脸懵逼的 ...

  2. ASP.NET Error Handling

    https://docs.microsoft.com/en-us/aspnet/web-forms/overview/getting-started/getting-started-with-aspn ...

  3. Demystifying ASP.NET MVC 5 Error Pages and Error Logging

    出处:http://dusted.codes/demystifying-aspnet-mvc-5-error-pages-and-error-logging Error pages and error ...

  4. Error Handling

    Use Exceptions Rather Than Return Codes Back in the distant past there were many languages that didn ...

  5. beam 的异常处理 Error Handling Elements in Apache Beam Pipelines

    Error Handling Elements in Apache Beam Pipelines Vallery LanceyFollow Mar 15 I have noticed a defici ...

  6. 19 Error handling and Go go语言错误处理

    Error handling and Go go语言错误处理 12 July 2011 Introduction If you have written any Go code you have pr ...

  7. Erlang error handling

    Erlang error handling Contents Preface try-catch Process link Erlang-way error handling OTP supervis ...

  8. MySQL Error Handling in Stored Procedures 2

    Summary: this tutorial shows you how to use MySQL handler to handle exceptions or errors encountered ...

  9. Appcelerator Titanium Studio: JNI_CreateJavaVM missing error

    Mac升级到Yosemite后,Titanium Studio启动不了,报Appcelerator Studio: JNI_CreateJavaVM missing error 之类的错误,重装了Or ...

随机推荐

  1. PHP简介

    PHP PHP是运行在服务器端的脚本,可以运行在UNIX.LINUX.WINDOWS.Mac OS下.PHP的特性包括:1. PHP 独特的语法混合了 C.Java.Perl 以及 PHP 自创新的语 ...

  2. PHP面向对象基础part.1

  3. PBR实现

    我们的目标:UnityStandard 我一直作Unity开发,所以环境也就选择了Unity.目标也就是尽可能接近UnityStandard的效果,不过主要为了学习PBR,所以就只实现基本的PBR和法 ...

  4. Linux 如何解决 xhost: unable to open display ""

    [root@host02 ~]# vncservice You will require a password to access your desktops. Password: Verify: x ...

  5. Bugtags 远程配置功能介绍

    远程配置顾名思义是在不发版的情况下,更改应用的行为和外观.举个例子,如下图:在 Demo Page 中,BUTTON 的颜色不一样,如果想实时修改按钮颜色,测试不同颜色的按钮实际点击情况,该怎么做呢? ...

  6. maven添加仓库地址

    mvn install时,好多包从mvn中央库下载不下来,搜索到一个maven库地址:http://conjars.org/repo/,将其添加到maven仓库中 编辑 conf/setting.xm ...

  7. Solr整合Ansj中文分词器

    Ansj的使用和相关资料下载参考:http://iamyida.iteye.com/blog/2220833 参考 http://www.cnblogs.com/luxh/p/5016894.html ...

  8. [python实现设计模式]-5.迭代器模式-一起撸串嗨皮啦

    迭代器模式是一个我们经常使用但是出境不高的模式. 为啥捏?因为大部分的语言都帮我们实现了细节,我们不许关注他的实现就能用的很嗨皮了. 不管怎样.这也是个非常常用的模式. 俗话说得好,这个世界上没有事情 ...

  9. 【HEVC】2、HM-16.7编码一个CU(帧内部分) 1.帧内预测相邻参考像素获取

    HEVC帧内预测的35中预测模式是在PU基础上定义的,实际帧内预测的过程则以TU为单位.PU以四叉树划分TU,一个PU内所有TU共享同一种预测模式.帧内预测分3个步骤: (1) 判断当前TU相邻像素点 ...

  10. 自制MFC消息响应定位器+原理分析

    mfc里面有张消息映射表(MESSAGE_MAP),消息都是通过这张表来分发到相应函数里的. 这个是我自制的定位器,从vc6.0到现在的2013生成的mfc都可以用,全静态扫描并已处理动态基址. 下面 ...