Not logged in - Login
< back

Common mistakes in the web.config file

  1. Custom Errors Disabled

When you disable custom errors as shown below, ASP.NET provides a detailed error message to clients by default.

Wrong configuration: 

<configuration>
  <system.web>
    <customErrors mode="Off">

Right configuration: 

<configuration>
  <system.web>
    <customErrors mode="RemoteOnly">

The more information a hacker can gather about a Web site, the more likely it is that he will be able to successfully attack it. An error message can be of vital significance to an attacker. A default ASP.NET error message lists the specific versions of ASP.NET and the .NET framework which are being used by the Web server, as well as the type of exception that was thrown. Just knowing which Web-based applications are used (in this case ASP.NET) compromises application security by telling the attacker that the server is running a relatively recent version of Microsoft Windows and that Microsoft Internet Information Server (IIS) 6.0 or later is being used as the Web server.

You can build up application security to prevent such information leakage by modifying the mode attribute of the 'customErrors' element to "On" or "RemoteOnly." This setting instructs Web-based applications to display a nondescript, generic error message when an unhandled exception is generated. Another way to circumvent this application security issue is to redirect the user to a new page when errors occur by setting the "defaultRedirect" attribute of the 'customErrors' element. This approach can provide even better application security because the default generic error page still gives away too much information about the system (namely, that it's using a Web.config file, which reveals that the server is running ASP.NET).

  1. Leaving Tracing Enabled in Web-Based Applications

The trace feature of ASP.NET is one of the most useful tools that you can use to ensure application security by debugging and profiling your Web-based applications. Unfortunately, it is also one of the most useful tools that a hacker can use to attack your Web-based applications if it is left enabled in a production environment.

Wrong configuration: 


<configuration>
  <system.web>
    <trace enabled="true" localOnly="false">

Right configuration: 


<configuration>
  <system.web>
    <trace enabled="false" localOnly="true">

When the