By default, these error messages will be presented only to users
viewing the web page from the local machine; however, it is not uncommon for developers
to remove this restriction when attempting to get a web application running in a
production environment. This type of information disclosure can give attackers critical
information about the application and its behavior. When reviewing an ASP.Net application,
an attacker can pay close attention to the error pages returned. If the error page
contains debugging information, he can use that information to guide future attacks.
Figure 5-1 shows the stack trace when attempting to submit malicious content that is
caught by ASP.Net??™s page validation. This provides the attacker with vital information
about why the attack may or may not be working.
Using Error Pages to View System Information Countermeasure
To configure an ASP.Net server not to return comprehensive debugging information, it
is recommended that a default error page for the application be specified. This can be
done by editing the application??™s web.config file and changing the defaultRedirect
attribute value of the customErrors element. Changing this value to a default error
page ensures that sensitive application specific data will not be disclosed to remote
attackers and is a good defense-in-depth measure when writing a secure ASP.
Pages:
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261