Common mistakes in the web.config file

Custom Errors Disabled

When you disable custom errors as shown below, ASP.NET provides a detailed error message to clients by default.

Wrong configuration:

<configuration>
  <system.web>
    <customErrors mode="Off">

Right configuration:

<configuration>
  <system.web>
    <customErrors mode="RemoteOnly">

The more information a hacker can gather about a Web site, the more likely it is that he will be able to successfully attack it. An error message can be of vital significance to an attacker. A default ASP.NET error message lists the specific versions of ASP.NET and the .NET framework which are being used by the Web server, as well as the type of exception that was thrown. Just knowing which Web-based applications are used (in this case ASP.NET) compromises application security by telling the attacker that the server is running a relatively recent version of Microsoft Windows and that Microsoft Internet Information Server (IIS) 6.0 or later is being used as the Web server.

You can build up application security to prevent such information leakage by modifying the mode attribute of the

Common mistakes in the web.config file

Powered by Roadkill Wiki (2.0.275).

Top