ASP.NET CustomErrors Is Disabled

Summary

Acunetix 360 detected that the custom errors in the ASP.NET application are disabled.

Impact

ASP.NET application’s error messages or warnings might expose sensitive information that an attacker might use to gain important information about the inner workings of your application.

Actions To Take

To enable custom error messages, please edit web.config and change custom messages parameter:

From:

<configuration>

  <system.web>

    <customErrors mode="Off"/>

  </system.web>

</configuration>

To:

<configuration>

  <system.web>

    <customErrors defaultRedirect="YourErrorPage.aspx"

                  mode="RemoteOnly">

      <error statusCode="500"

             redirect="InternalErrorPage.aspx"/>

    </customErrors>

  </system.web>

</configuration>

Please keep in mind different customError values

On – Specifies that custom errors are enabled. If defaultRedirect is not specified, users see a generic error page
Off – Specifies that custom errors are disabled. This displays detailed errors.
RemoteOnly – Specifies that custom errors are shown only to remote clients, and detailed ASP.NET errors are shown to the local users.This is the default.

Severity

Medium

Classification

CWE-16 OWASP 2013-A6 OWASP 2017-A3