Abstract:

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the

framework's built-in error responses.

Explanation:

ASP .NET applications should be configured to use custom error pages instead of the framework default page. The default error

page gives detailed information about the error that occurred, and should not be used in production environments. The mode

attribute of the <customErrors> tag defines whether custom or default error pages are used.

Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework,

database, or other resources used by the application.

Recommendations:

Always enable custom error pages for production deployment. This can be accomplished by setting the mode attribute to On on

the <customErrors> tag in your application's configuration file and setting the property to point to your custom error page, such

as error.aspx in the example below.

<configuration>

<customErrors mode="On" defaultRedirect="error.aspx"/>

...

</configuration>

Custom error pages can also be configured at a more granular level in the <appSettings> section of the ASP .NET configuration

file. When you customize these settings and implement your custom error pages, be certain they do not leak any of the system

information that you are trying to protect by replacing the framework defaults. Error pages should never display specific

information about the application or any of the resources it uses. In particular, displaying stack traces and other execution

specifics should always be avoided.

ASP.NET Misconfiguration: Missing Error Handling的更多相关文章

  1. Error Handling in ASP.NET Core

    Error Handling in ASP.NET Core 前言  在程序中,经常需要处理比如 404,500 ,502等错误,如果直接返回错误的调用堆栈的具体信息,显然大部分的用户看到是一脸懵逼的 ...

  2. ASP.NET Error Handling

    https://docs.microsoft.com/en-us/aspnet/web-forms/overview/getting-started/getting-started-with-aspn ...

  3. Demystifying ASP.NET MVC 5 Error Pages and Error Logging

    出处:http://dusted.codes/demystifying-aspnet-mvc-5-error-pages-and-error-logging Error pages and error ...

  4. Error Handling

    Use Exceptions Rather Than Return Codes Back in the distant past there were many languages that didn ...

  5. beam 的异常处理 Error Handling Elements in Apache Beam Pipelines

    Error Handling Elements in Apache Beam Pipelines Vallery LanceyFollow Mar 15 I have noticed a defici ...

  6. 19 Error handling and Go go语言错误处理

    Error handling and Go go语言错误处理 12 July 2011 Introduction If you have written any Go code you have pr ...

  7. Erlang error handling

    Erlang error handling Contents Preface try-catch Process link Erlang-way error handling OTP supervis ...

  8. MySQL Error Handling in Stored Procedures 2

    Summary: this tutorial shows you how to use MySQL handler to handle exceptions or errors encountered ...

  9. Appcelerator Titanium Studio: JNI_CreateJavaVM missing error

    Mac升级到Yosemite后,Titanium Studio启动不了,报Appcelerator Studio: JNI_CreateJavaVM missing error 之类的错误,重装了Or ...

随机推荐

  1. kali ssh服务开启登录

    vi /etc/ssh/sshd_config 将#PasswordAuthentication no的注释去掉,并且将NO修改为YES //kali中默认是yes 2. 将PermitRootLog ...

  2. Hadoop总结篇之三---一个Job到底被提交到哪去了

    我们会定义Job,我们会定义map和reduce程序.那么,这个Job到底是怎么提交的?提交到哪去了?它到底和集群怎么进行交互的呢? 这篇文章将从头讲起. 开发hadoop的程序时,一共有三大块,也就 ...

  3. SQL Server替换特殊字符

    1.查找特殊字符的ASCII码,在这里当然能够看到这个特出字符的模样,可用函数取出这个特殊字符进行复制,下面的取值为9 Select ascii(' ') 2.根据ASCII码值替换特殊字符 Upda ...

  4. Bugtags 创业一年总结

    出发 在经历过了多轮的 APP 开发/测试/上线/运营周期之后,我们觉得 APP Bug 反馈环节始终十分低效,我们要来改变一下这个状态.于是有了 bugtags.com. 一年 从去年六月正式立项, ...

  5. php 二维数组排序,多维数组排序

    对2维数组或者多维数组排序是常见的问题,在php中我们有个专门的多维数组排序函数,下面简单介绍下: array_multisort(array1,sorting order, sorting type ...

  6. SQL Server 2014 SP2发布下载:数十项更新修复

    微软发布了数据库工具SQL Server 2014 SP2服务包下载,本次更新集合了数十项更新修复,涉及安全和功能性补丁,使用SQL Server 2014的用户应该及时安装该服务包. 文件内容 版本 ...

  7. Programming in Lua读书笔记

         Lua的长处之一就是可以通过新类型和函数来扩展其功能.动态类型检查最大限度允许多态出现,并自动简化调用内存管理的接口,因为这样不需要关心谁来分配内存谁来释放内存,也不必担心数据溢出.高级函数 ...

  8. 几大最短路径算法比较(Floyd & Dijkstra & Bellman-Ford & SPFA)

    几个最短路径算法的比较:Floyd 求多源.无负权边(此处错误?应该可以有负权边)的最短路.用矩阵记录图.时效性较差,时间复杂度O(V^3).       Floyd-Warshall算法(Floyd ...

  9. OpenLayers 3 中Layers的相关知识

    昨天自己一遍又一遍的把API里Accessible map那个例子写下来,终于好像有熟悉一点点.找到一篇博文详细讲Layers的.整理一下贴出来(本来想在网上做笔记可以重新排版,比写在本子上要容易有结 ...

  10. 用c++写一个简单的计算器程序

    // 050305.cpp : 定义控制台应用程序的入口点.// // 050304.cpp : 定义控制台应用程序的入口点.////四则运算#include "stdafx.h" ...