customerrors tag and Information Leakage

Information leakage through poor error handling is one way an attacker can gain deeper knowledge of your application. In this post we explore the <customerrors> parameter in your ASP.NET web.config file and how ASP.NET will behave with the different attributes you set.

The main two attributes for <customerrors> are Mode and defaultRedirect.

Mode can be set to On, Off or RemoteOnly.

defaultRedirect should be set to the name of your error page ( or you could just leave the parameter out; unset).

For example you could use the parameter like so:

<customErrors mode=“RemoteOnly” DefaultRedirect=“error.htm”>

The following table is a result of my having tested the behavior of ASP.NET (3.5) with different setting combinations for these two parameters.

From the results above we can deduce that a definite no no is to set Mode to Off, Ever!

RemoteOnly seems to be the most useful since it will allow developers to troubleshoot without leaking information to the user. Setting an error page is also recommended since it makes for a better looking error page than the one ASP.Net has to offer.