CWE - CWE-12: ASP.NET Misconfiguration: Missing Custom Error Page (2.4)

Home > CWE List > CWE- Individual Dictionary Definition (2.4)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents
FAQs

Community
SwA On-Ramp
T-Shirt
Discussion List
Discussion Archives
Contact Us

Scoring
CWSS
CWRAF
CWE/SANS Top 25

Compatibility
Requirements
Coverage Claims Representation
Compatible Products
Make a Declaration

News
Calendar
Free Newsletter

Search the Site

CWE-12: ASP.NET Misconfiguration: Missing Custom Error Page

ASP.NET Misconfiguration: Missing Custom Error Page

Weakness ID: 12 (Weakness Variant)

Status: Draft

Description

Description Summary

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.

Time of Introduction

Implementation
Operation

Applicable Platforms

Languages

.NET

Common Consequences

Scope	Effect
Confidentiality	Technical Impact: Read application data Default error pages gives detailed information about the error that occurred, and should not be used in production environments. Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.

Demonstrative Examples

Example 1

An insecure ASP.NET application setting:

(Bad Code)

Example Language: ASP.NET

Custom error message mode is turned off. An ASP.NET error message with detailed stack trace and platform versions will be returned.

Here is a more secure setting:

(Good Code)

Example Language: ASP.NET

Custom error message mode for remote users only. No defaultRedirect error page is specified. The local user on the web server will see a detailed stack trace. For remote users, an ASP.NET error message with the server customError configuration setting and the platform version will be returned.

Potential Mitigations

Phases: System Configuration; Implementation

Handle exceptions appropriately in source code. The best practice is to use a custom error message. Make sure that the mode attribute is set to "RemoteOnly" in the web.config file as shown in the following example.

(Good Code)

The mode attribute of the <customErrors> tag in the Web.config file defines whether custom or default error pages are used. It should be configured to use a custom page as follows:

(Good Code)

Phase: Architecture and Design

Do not attempt to process an error or attempt to mask it.

Phase: Implementation

Verify return values are correct and do not supply sensitive information about the system.

Phase: System Configuration

ASP .NET applications should be configured to use custom error pages instead of the framework default page.

Background Details

The mode attribute of the <customErrors> tag defines whether custom or default error pages are used.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	2	Environment	Seven Pernicious Kingdoms (primary)700
ChildOf	Category	10	ASP.NET Environment Issues	Development Concepts (primary)699
ChildOf	Weakness Class	756	Missing Custom Error Page	Research Concepts (primary)1000
ChildOf	Category	895	SFP Cluster: Information Leak	Software Fault Pattern (SFP) Clusters (primary)888

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
7 Pernicious Kingdoms			ASP.NET Misconfiguration: Missing Custom Error Handling

References

M. Howard, D. LeBlanc and J. Viega. "19 Deadly Sins of Software Security". McGraw-Hill/Osborne. 2005.

OWASP, Fortify Software. "ASP.NET Misconfiguration: Missing Custom Error Handling". <http://www.owasp.org/index.php/ASP.NET_Misconfiguration:_Missing_Custom_Error_Handling>.

Content History

Submissions
Submission Date	Submitter	Organization	Source
	7 Pernicious Kingdoms		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated References, Demonstrative_Example, Potential_Mitigations, Time_of_Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Relationships, Other_Notes, References, Taxonomy_Mappings
2008-10-14	CWE Content Team	MITRE	Internal
2008-10-14	updated Relationships
2008-11-24	CWE Content Team	MITRE	Internal
2008-11-24	updated Common_Consequences, Other_Notes, Potential_Mitigations
2009-03-10	CWE Content Team	MITRE	Internal
2009-03-10	updated Name, Relationships
2009-07-27	CWE Content Team	MITRE	Internal
2009-07-27	updated Background_Details, Common_Consequences, Other_Notes
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences
2011-06-27	CWE Content Team	MITRE	Internal
2011-06-27	updated Common_Consequences
2012-05-11	CWE Content Team	MITRE	Internal
2012-05-11	updated Demonstrative_Examples, Relationships
2012-10-30	CWE Content Team	MITRE	Internal
2012-10-30	updated Potential_Mitigations
2013-02-21	CWE Content Team	MITRE	Internal
2013-02-21	updated Potential_Mitigations
Previous Entry Names
Change Date	Previous Entry Name
2009-03-10	ASP.NET Misconfiguration: Missing Custom Error Handling

Page Last Updated: February 20, 2013


	CWE is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2013, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us