|
|
|
|
CWE-12 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 12 (Weakness Variant) | | Description | Summary An ASP .NET application must enable custom error pages in order to prevent attackers from
mining information from the framework's built-in responses. | | Potential Mitigations | Handle exceptions appropriately in source code. Do not attempt to process an error or attempt to mask it. Verify return values are correct and do not supply sensitive information about the
system. | | Context Notes | ASP .NET applications should be configured to use custom error pages instead of the
framework default page. The default error page gives detailed information about the error that
occurred, and should not be used in production environments. The mode attribute of the
tag defines whether custom or default error pages are used. Attackers
can leverage the additional information provided by a default error page to mount attacks targeted
on the framework, database, or other resources used by the application. | | References | M. Howard,
D. LeBlanc and J. Viega.
"19 Deadly Sins of Software Security". McGraw-Hill/Osborne. 2005. | | Relationships | | | Source Taxonomies | 7 Pernicious Kingdoms - ASP.NET Misconfiguration: Missing Custom Error Handling | | Applicable Platforms | .NET |
|