ASP.NET Misconfiguration: Missing Custom Error Page
Weakness ID: 12 (Weakness Variant)Status: Draft
+ Description

Description Summary

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.
+ Time of Introduction
  • Implementation
  • Operation
+ Applicable Platforms



+ Common Consequences

Default error pages gives detailed information about the error that occurred, and should not be used in production environments.

Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.

+ Demonstrative Examples

Example 1

Custom error message mode is turned off. An ASP.NET error message with detailed stack trace and platform versions will be returned.

(Bad Code)
Example Language: ASP.NET 
<customErrors ... mode="Off" />

Example 2

Custom error message mode for remote user only. No defaultRedirect error page is specified. The local user on the web server will see a detailed stack trace. For remote users, an ASP.NET error message with the server customError configuration setting and the platform version will be returned.

(Good Code)
Example Language: ASP.NET 
<customErrors mode="RemoteOnly" />
+ Potential Mitigations

Handle exceptions appropriately in source code. The best practice is to use a custom error message. Make sure that the mode attribute is set to "RemoteOnly" in the web.config file as shown in the following example.

(Good Code)
<customErrors mode="RemoteOnly" />

The mode attribute of the <customErrors> tag in the Web.config file defines whether custom or default error pages are used. It should be configured to use a custom page as follows:

(Good Code)
<customErrors mode="On" defaultRedirect="YourErrorPage.htm" />

Do not attempt to process an error or attempt to mask it.

Verify return values are correct and do not supply sensitive information about the system.

ASP .NET applications should be configured to use custom error pages instead of the framework default page.

+ Background Details

The mode attribute of the <customErrors> tag defines whether custom or default error pages are used.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
Seven Pernicious Kingdoms (primary)700
ChildOfCategoryCategory10ASP.NET Environment Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class756Missing Custom Error Page
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious KingdomsASP.NET Misconfiguration: Missing Custom Error Handling
+ References
M. Howard, D. LeBlanc and J. Viega. "19 Deadly Sins of Software Security". McGraw-Hill/Osborne. 2005.
OWASP, Fortify Software. "ASP.NET Misconfiguration: Missing Custom Error Handling". <>.
+ Content History
Submission DateSubmitterOrganizationSource
7 Pernicious KingdomsExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated References, Demonstrative Example, Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, References, Taxonomy Mappings
2008-10-14CWE Content TeamMITREInternal
updated Relationships
2008-11-24CWE Content TeamMITREInternal
updated Common Consequences, Other Notes, Potential Mitigations
2009-03-10CWE Content TeamMITREInternal
updated Name, Relationships
2009-07-27CWE Content TeamMITREInternal
updated Background Details, Common Consequences, Other Notes
Previous Entry Names
Change DatePrevious Entry Name
2009-03-10ASP.NET Misconfiguration: Missing Custom Error Handling