Last post Sep 23, 2010 05:52 AM by Duncan Smart
Sep 22, 2010 04:19 AM|fimatronn|LINK
We redirect all errors to an error page and not found errors to a notfound page like this
<customErrors mode="RemoteOnly" defaultRedirect="~/Error">
<error statusCode="404" redirect="~/NotFound" />
In global.asax we however log the error and put an error guid in session
protected void Application_Error(Object sender, EventArgs e)
Exception error = Server.GetLastError();
Guid exceptionId = Guid.NewGuid();
//Put the error id in session so we can show it on the error page
Session["CurrentErrorId"] = exceptionId.ToString();
catch (HttpException sessionNotAvailable)
if (error != null)
//Log the inner exception if we get one (because the real error is wrapped in an HttpException when passed here)
Exception loggedError = error.GetBaseException();
string exceptionMessage = MyCustomLogger.GetExceptionMessage(loggedError, exceptionId);
MyCustomLogger.WriteEvent(loggedError, exceptionId, EventLogEntryType.Error);
Then on the error page we show a static text but also the error guid
protected void Page_Load(object sender, EventArgs e)
Response.StatusCode = 500;
string exceptionId = Session["CurrentErrorId"] as string;
lblExceptionId.Text = exceptionId;
lblExceptionId.Text = "-";
Is this all right?
asp.net vulnerability error page with error guid
Sep 22, 2010 09:15 AM|Rovastar|LINK
My understanding is if the the client always receives a single error http status code and the page cannot be distingished in any way then you should be ok. By displaying the GUID it is unlikley that you will have a problem but it all depends on what is happening
there and if the hacker could find out the information based on that GUID. I think it is obsurce enough to be protected anyway.
Sep 22, 2010 10:17 AM|owjeff|LINK
You are not protected because different error pages are returned for 404 and 500 errors. Comment out the custom 404 error in the customErrors section.
Sep 23, 2010 01:41 AM|fimatronn|LINK
Hi and thanks for the answers.
Are you sure that an attacker can utilize the fact that we show different error pages for unhandled exceptions and "page not found" when we don't show any info about the error on the error page? Doesn't the attacker need more explicit knowledge of the error,
like the Yellow Screen of Death?
Sep 23, 2010 05:52 AM|Duncan Smart|LINK
No, all the info they need is "did a crypto error occur or not with this value"? If a request to webresource.axd (e.g. returns HTTP 404) can be differentiated from a request to webresource.axd?d=foo
(e.g. returns HTTP 500) they they have all the information they need to start pounding webresource.axd with varying values of 'd' to ultimately start forging auth cookies etc.
This is why it's crucial to not give the attacker
any clue about what type of error occurred - e.g. generic 404 error.