VariantDraft

CWE-12ASP.NET Misconfiguration: Missing Custom Error Page

Category: config

Description

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.

Common consequences· 1

  • Confidentiality — Read Application Data
    Default error pages gives detailed information about the error that occurred, and should not be used in production environments. Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.

Potential mitigations· 3

  • [System Configuration]Handle exceptions appropriately in source code. ASP .NET applications should be configured to use custom error pages instead of the framework default page.
  • [Architecture and Design]Do not attempt to process an error or attempt to mask it.
  • [Implementation]Verify return values are correct and do not supply sensitive information about the system.

References

  1. https://cwe.mitre.org/data/definitions/12.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
ASP.NET Misconfiguration: Not Using Input Validation Framework
CWE
J2EE Misconfiguration: Missing Custom Error Page
CWE
ASP.NET Misconfiguration: Improper Model Validation
CWE
ASP.NET Misconfiguration: Password in Configuration File
CWE
Missing Custom Error Page
CWE
ASP.NET Misconfiguration: Creating Debug Binary
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.