Penetration Testing mailing list archives
RE: Web app error messages.
From: "Hagen, Eric" <hagene () DenverNewspaperAgency com>
Date: Thu, 26 Oct 2006 15:40:53 -0600
That's a standard IIS message that is given out when you try to browse the root of a directory that does not exist. http://support.microsoft.com/kb/185380/EN-US/ You can simply drop an apporpriate index.html (or other default named) file in there if you want to customize the message depending on the directory that is entered. http://support.microsoft.com/kb/320051 or... You can configure IIS to automatically return a specific page rather than the directory listing error. (See error 403.14) http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/windows2000/en/server/iis/htm/core/iierrabt.htm Eric -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of Lee Lawson Sent: Thursday, October 26, 2006 8:17 AM To: pen-test () securityfocus com Subject: Web app error messages. Hi all, I have recently conducted a web application penetration test for a client and I am a little stuck as to the resolution advice I need to give. I have highlighted, among other things, the enumeration of 'hidden' directories within the app. This is normally conducted by finding Access Denied or Forbidden messages, but I have come across the following message: "Virtual Directory Listing Denied." That is all that is displayed on the page! They are using asp and IIS. What I need to know is: what exactly is creating the error message? IIS? ASP? etc. How to create a bespoke error message or preferably redirect the user to the home page? Thanks in advance. -- Lee J Lawson leejlawson () gmail com leejlawson () hushmail com "Give a man a fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life." "Quidquid latine dictum sit, altum sonatur." ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Web app error messages. Lee Lawson (Oct 26)
- <Possible follow-ups>
- RE: Web app error messages. Hagen, Eric (Oct 26)