CWE-12 ASP.NET误配置：缺少定制错误页面

ASP.NET Misconfiguration: Missing Custom Error Page

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: unkown

基本描述

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.

适用平台

Language: {'cwe_Name': 'ASP.NET', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
Confidentiality	Read Application Data	Default error pages gives detailed information about the error that occurred, and should not be used in production environments. Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.

可能的缓解方案

System Configuration

策略:

Handle exceptions appropriately in source code. ASP .NET applications should be configured to use custom error pages instead of the framework default page.

Architecture and Design

策略:

Do not attempt to process an error or attempt to mask it.

Implementation

策略:

Verify return values are correct and do not supply sensitive information about the system.

示例代码

例

The mode attribute of the tag in the Web.config file defines whether custom or default error pages are used.

In the following insecure ASP.NET application setting, custom error message mode is turned off. An ASP.NET error message with detailed stack trace and platform versions will be returned.

bad ASP.NET

A more secure setting is to set the custom error message mode for remote users only. No defaultRedirect error page is specified. The local user on the web server will see a detailed stack trace. For remote users, an ASP.NET error message with the server customError configuration setting and the platform version will be returned.

good ASP.NET

Another secure option is to set the mode attribute of the <customErrors> tag to use a custom page as follows: