WebApp Sec mailing list archives

Re: ISS6 - ASP.NET

From: "Ernie Nelson" <juridian () juridian com>
Date: Tue, 9 Sep 2003 07:44:54 -0700

2. The second portion of your question relates to the comprehensiveness of
the response, which is clearly a vulnerability. Go into the web.config and
turn customErrors to on and you can direct the error information you can
give back, rather than giving the caller a complete stack trace. This mode
is intended to be used while in development only.



The web.config by default is set to only show the stack trace to the user if
they are running the browser from the web server.  If you are on another
machine it will give you an entirely different message telling the user
about web.config.

If you do a quick search of google you can find a snippet of code and
instructions on how to catch any unhandled web app errors through the
global.asax and take action upon them from there (emailing someone,
whatever..).

Ernest Nelson - GSEC, MCP

Current thread:

ISS6 - ASP.NET webappsec (Sep 09)
- Re: ISS6 - ASP.NET H D Moore (Sep 09)
- RE: ISS6 - ASP.NET TUER, DON (Sep 09)
- <Possible follow-ups>
- RE: ISS6 - ASP.NET Jackson, Chris (Sep 09)
  - Re: ISS6 - ASP.NET Ernie Nelson (Sep 09)
- RE: ISS6 - ASP.NET webappsec (Sep 09)