1. Home
  2. CWE Database
  3. CWE-12
Variant · Low-Medium

CWE-12: ASP.NET Misconfiguration: Missing Custom Error Page

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.

CWE-12 · Variant Level ·3 Mitigations

Description

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.

Potential Impact

Confidentiality

Read Application Data

Demonstrative Examples

The mode attribute of the <customErrors> tag in the Web.config file defines whether custom or default error pages are used.
In the following insecure ASP.NET application setting, custom error message mode is turned off. An ASP.NET error message with detailed stack trace and platform versions will be returned.
Bad
<customErrors mode="Off" />
A more secure setting is to set the custom error message mode for remote users only. No defaultRedirect error page is specified. The local user on the web server will see a detailed stack trace. For remote users, an ASP.NET error message with the server customError configuration setting and the platform version will be returned.
Good
<customErrors mode="RemoteOnly" />
Another secure option is to set the mode attribute of the <customErrors> tag to use a custom page as follows:
Good
<customErrors mode="On" defaultRedirect="YourErrorPage.htm" />

Mitigations & Prevention

System Configuration

Handle exceptions appropriately in source code. ASP .NET applications should be configured to use custom error pages instead of the framework default page.

Architecture and Design

Do not attempt to process an error or attempt to mask it.

Implementation

Verify return values are correct and do not supply sensitive information about the system.

CWE-756: Missing Custom Error Page

The product does not return custom error pages to the user, possibly exposing sensitive information.

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — ASP.NET Misconfiguration: Missing Custom Error Handling

Frequently Asked Questions

What is CWE-12?

CWE-12 (ASP.NET Misconfiguration: Missing Custom Error Page) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.

How can CWE-12 be exploited?

Attackers can exploit CWE-12 (ASP.NET Misconfiguration: Missing Custom Error Page) to read application data. This weakness is typically introduced during the Implementation, Operation phase of software development.

How do I prevent CWE-12?

Key mitigations include: Handle exceptions appropriately in source code. ASP .NET applications should be configured to use custom error pages instead of the framework default page.

What is the severity of CWE-12?

CWE-12 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.