HTTP Error 404 in ASP.NET web application

Bryian Tan
Jan 19, 2011

46k
0
0
- facebook
- twitter
- linkedIn
- Reddit
- WhatsApp
- Email
- Print
- Other Artcile

One of my web applications went through some sort of security scan and come back with "Server error response vulnerabilities". I checked the web.config file and confirm that the following line exists.
Listing 1

 <customErrors mode="On" defaultRedirect="~/error.aspx">

When I navigate to "http://localhost/pagenotfound.aspx", I see the custom error page as expected. But when I navigate to "http://localhost/pagenotfound.haha", I see the following response headers through Fiddler.
Listing 2

HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.1
Date: Tue, 18 Jan 2011 03:42:36 GMT
Connection: close
Content-Type: text/html
Content-Length: 108

According to the scan report, it is a best practice not to reveal the exact error message or hint to the attacker but display a generic error message page. Here are the steps to implement it. If you have IIS 6.0,

Right click the website, select Properties

Click on the Custom Errors tab

Scroll down the list and look for the HTTP Error 404, see figure 1

Double click the HTTP Error 404 and you should see a popup window like the one in figure 2.

Select URL from the Message Type, and type in the URL to the generic error message page.

Figure 1

Website properties

Figure 2

Error mapping properties

Now, navigate to "http://localhost/pagenotfound.haha" and you should see the custom error page instead of page not found error.

If you have IIS 7/7.5

Click on the Error Pages under IIS section, see figure 3

Click on the Edit Feature Settings

You should see the windows similar to figure 4

Figure 3

IIS

Figure 4

Edit error page setting

If you don't have access to IIS or your web application is hosted on a hosting company, contact them and request to enable Remote IIS Manager for your domain.

To download and install the IIS 7.0 Manager, use one of the following links:
For X86 processor systems: http://iis.net/downloads/default.aspx?tabid=34&g=6&i=1626
For X64 processor systems: http://iis.net/downloads/default.aspx?tabid=34&g=6&i=1633

Once you have it installed, click on File and then Connect to a Site! You should see a window similar to figure 5. Insert the server name or URL (yourdomain.com) and give your site a name (my new domain).Figure 5

Connect to site

Recommended Free Ebook

Programming Errors & Solutions

Download Now!