• ASP.NET Misconfiguration: Missing Error Handling


    Abstract:

    An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the

    framework's built-in error responses.

    Explanation:

    ASP .NET applications should be configured to use custom error pages instead of the framework default page. The default error

    page gives detailed information about the error that occurred, and should not be used in production environments. The mode

    attribute of the <customErrors> tag defines whether custom or default error pages are used.

    Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework,

    database, or other resources used by the application.

    Recommendations:

    Always enable custom error pages for production deployment. This can be accomplished by setting the mode attribute to On on

    the <customErrors> tag in your application's configuration file and setting the property to point to your custom error page, such

    as error.aspx in the example below.

    <configuration>

    <customErrors mode="On" defaultRedirect="error.aspx"/>

    ...

    </configuration>

    Custom error pages can also be configured at a more granular level in the <appSettings> section of the ASP .NET configuration

    file. When you customize these settings and implement your custom error pages, be certain they do not leak any of the system

    information that you are trying to protect by replacing the framework defaults. Error pages should never display specific

    information about the application or any of the resources it uses. In particular, displaying stack traces and other execution

    specifics should always be avoided.

  • 相关阅读:
    C语言寒假大作战01
    第十二次作业
    第十一次作业
    第十周作业
    第九次作业
    第8周作业
    第七次作业
    C语言I作业12—学期总结
    第一周作业
    C语言l博客作业02
  • 原文地址:https://www.cnblogs.com/time-is-life/p/6203059.html
Copyright © 2020-2023  润新知