An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in error responses.
ASP .NET applications should be configured to use custom error pages instead of the framework default page. The default error page gives detailed information about the error that occurred, and should not be used in production environments. The mode
attribute of the <customErrors>
tag defines whether custom or default error pages are used.
Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.
[1] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A6 Information Leakage and Improper Error Handling
[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration
[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A7 Improper Error Handling
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3120 CAT II
[5] ASP.Net Settings Schema:
[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 12
[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.2, Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.5
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.7