Custom Error Page vulnerability

  • Thread starter Thread starter Nedim
  • Start date Start date
N

Nedim

Guest
IIS comes with default error pages. In order to help troubleshooting issues, these error pages may provide detailed information about the application and server. Therefore, some penetration testing tools may flag this situation as a vulnerability. An example pentest report:



Missing Custom Error Page (CWE ID 756)
The software fails to return custom error pages to the user, possibly resulting in an information leak.



medium?v=1.jpg





Solution




Unless detailed error pages are enabled for remote requests in IIS, I wouldn’t classify this situation as a critical vulnerability.

medium?v=1.png



If you want to have a clean security scan report (and you want your users to see more meaningful error pages), you can create custom error pages.



In the case I worked on, the tool brought up this report for a folder that doesn’t have a default page. For this situation, there are a few easy workarounds:



  1. Add an index.html file to the folder. This should prevent that URL to be flagged again
  2. Customize IIS defaullt page for 403 error (C:\inetpub\custerr\en-US\403.html). Pentest tool is likely to mark the URL pass if that page is customized
  3. Enforce custom error pages in web.config

Continue reading...
 
Back
Top