CWE-12: ASP.NET Misconfiguration: Missing Custom Error Page


An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

Example Vulnerable Codes

Example - 1

The mode attribute of the tag in the Web.config file defines whether custom or default error pages are used.

In the following insecure ASP.NET application setting, custom error message mode is turned off. An ASP.NET error message with detailed stack trace and platform versions will be returned.

<customErrors mode="Off" />

A more secure setting is to set the custom error message mode for remote users only. No defaultRedirect error page is specified. The local user on the web server will see a detailed stack trace. For remote users, an ASP.NET error message with the server customError configuration setting and the platform version will be returned.

<customErrors mode="RemoteOnly" />

Another secure option is to set the mode attribute of the tag to use a custom page as follows:

<customErrors mode="On" defaultRedirect="YourErrorPage.htm" />

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

Visit for more details.