ASP.NET error message

ASP.NET error message

Published on 2010-01-14. Updated on 2010-01-14.

Description:
By requesting a specially crafted URL is possible to generate an ASP.NET error message. The message contains the complete stack trace and Microsoft .NET Framework Version.

Impact:
The error messages may disclose sensitive information. This information can be used to launch further attacks.

Recommendation:
Adjust web.config to enable custom errors for remote clients. Set customErrors mode to Off or RemoteOnly. customErrors is part of system.web Element. RemoteOnly specifies that custom errors are shown only to the remote clients, and that ASP.NET errors are shown to the local host. This is the default value.

Tags: Scripts

Alert Tags: information_disclosure,error_handling
ApplicableApplicationServer : All
ApplicableOS: Windows
ApplicableWebServer: All

References:

customErrors Element (ASP.NET Settings Schema)

Go Back

• Product Information
• Download
• Product Tour
• Brochure (PDF)
• Pricing
• Testimonials
• Customer references
• Resell Acunetix
• Acunetix in the Press
• List of vulnerability checks

• Learn more
• SQL Injection
• Cross site scripting
• Web Security
• Directory Traversal
• Ajax Application Security
• Google Hacking