In my application (Asp.Net web api) if the attacker inserts arbitrary text after in the api url then that text is displayed in the 404 error page. This can be used by attacker to trick the users to click on custom links or for phishing attacks.
I want to block any arbitrary text from showing up on error page like this. Point to note here, we have not implemented GUID based error messaging in application.
In order to set up a custom 404 error page add the following to web.config inside <system.web></system.web>:
<customErrors mode="On" redirectMode="ResponseRewrite">
<error statusCode="404" redirect="~/404.html"/>
</customErrors>
I’ve set mode="On" so we can view the custom errors pages locally. Generally you would only want to display these in production so would set mode="RemoteOnly"
Then add also custom error pages in IIS (note that this only works in IIS 7+). In web.config add the following inside <system.webServer></system.webServer>:
<httpErrors errorMode="Custom">
<remove statusCode="404"/>
<error statusCode="404" path="/404.html" responseMode="File"/>
</httpErrors>
If it doesn't help, as I don't know the architecture of your application, you should go for a route matching solution:
Implementing a smart IHttpRouteConstraint
Applying the constraint to attribute routing
Applying the constraint to centralized routing
here are the details of the implementation:
https://www.strathweb.com/2014/10/route-matching-overriding-404-asp-net-web-api/
Related
I am setting up a user acceptance site on my GoDaddy server. I have read through a bunch of posts and done multiple things but nothing seems to work. While developing in Visual Studio and running the project, all works fine. On the live server, I do not get the custom error pages. It is running IIS 7.
I have tried using different combinations using httpErrors and CustomErrors in the web.config. Using both and each by itself. I have read that using httpErrors is better to use if you have II7. Below are the two areas of code. I am utilizing an Id to get code and one page to pull all errors. I would like some thoughts on that as well. While other documents say you should use a static page for errors, Using razor pages it seems like a weird idea to me as you would have to create the page outside of the project and then add it to it.
Originally i had these setup as the Index of Error but changed it because i thought that might have been the issue. Turns out not..
<httpErrors errorMode="Custom">
<remove statusCode="404" subStatusCode="-1"/>
<error statusCode="404" path="Error/Index/404" responseMode="ExecuteURL"/>
<error statusCode="500" path="Error/Index/500" responseMode="ExecuteURL"/>
</httpErrors>
<customErrors mode="On" defaultRedirect="~/Error/Oops">
<error statusCode="404" redirect="~/Error/Oops/404"/>
<error statusCode="500" redirect="~/Error/Oops/500"/>
</customErrors>
Controller is simple
public ActionResult Oops(int id)
{
Response.StatusCode = id;
return View();
}
I would also note that the URL link for the Error is correct. Even if i go directly to the custom error page Url i get the 404 page but not the custom page. To me if you have a controller that is serving up a view and you give it the information it needs, it should come up.
EDIT -
Also when i use the httpErrors i get this on the page -
The page cannot be displayed because an internal server error has occurred.
Is there something on the server that needs toggled on or off?
Did a little digging and found a little more detailed document. Here is what fixed my issue.
<httpErrors errorMode="Custom" defaultResponseMode ="ExecuteURL" existingResponse="Replace">
<remove statusCode="404"/>
<error statusCode="404" path="/Error/Oops/404" responseMode="ExecuteURL"/>
<remove statusCode="500"/>
<error statusCode="500" path="/Error/Oops/500" responseMode="ExecuteURL"/>
</httpErrors>
I am using both httpErrors and customErrors. No changes were made with customErrors..
I write custom error pages for my MVC 5 web app. That's why I extended my web.config:
<customErrors mode="On" defaultRedirect="~/Error/" >
<error redirect="~/Error/?code=404" statusCode="404" />
</customErrors>
My Index action is called properly but I want to know the called url that was not found. How can I get it?
I've tried some ways to deploy my custom error page (e.g. error.aspx) onto my website:
Added customErrors: <customErrors mode="On"
defaultRedirect="error.aspx" />
Added httpError: <httpErrors>
<remove statusCode="404" subStatusCode="-1" /> <error
statusCode="404" prefixLanguageFilePath="" path="error.aspx"
responseMode="ExecuteURL" /> </httpErrors>
Currently, I can point this URL to my custom error page:
http://test.localdev.net/random_text.aspx
However, I failed for those kind of URL (unsupported extension), for these URLs IIS will use its own 404 page:
http://test.localdev.net/Default.random
Could anyone help me to fix it?
Thanks
are you using iis7 or later in integrated mode? Otherwise I think you need to configure error pages in iis itself.
I'd like all errors to go to the same error page. I did initially try the error tag with statuscodes. That works fine but I'd rather not have to specify so any statuscodes and still have every error go to one page. The problem is that if I remove the statuscode entries, a 404 goes to the server's 404 page and not my error page.
Is there some way to configure all errors to go to the same page?
You should change your web.config and add the customErrors element. You can then set the default redirect to a signle page
For Example
<customErrors mode="On" defaultRedirect="Error.aspx">
</customErrors>
You can refer to the MSDN article
http://msdn.microsoft.com/en-us/library/h0hfz6fc.aspx
On IIS7, you can use the new httpErrors section
<system.webServer>
<httpErrors defaultPath="Error.aspx" defaultResponseMode="Redirect">
</httpErrors>
</system.webServer>
For more information
http://www.iis.net/ConfigReference/system.webServer/httpErrors
If I understand well, you need to send all errors to your custom error page, and the errors that iis7 gives (not only your program)
This is something that you need to setup on II7, but you can also setup it from web.config (but actually give instructions to ii7) Here is an example
<configuration>
<system.webServer>
<httpErrors errorMode="DetailedLocalOnly" defaultResponseMode="File" >
<remove statusCode="500" />
<error statusCode="500"
prefixLanguageFilePath="C:\Contoso\Content\errors"
path="500.htm" />
</httpErrors>
</system.webServer>
</configuration>
reference: http://www.iis.net/ConfigReference/system.webServer/httpErrors
I've edited the webconfig in my Web Application (WebForms, .NET 4) adding this :
<customErrors mode="On" defaultRedirect="CustomError.aspx" redirectMode="ResponseRewrite">
<error statusCode="404" redirect="CustomError.aspx" />
</customErrors>
now, If I request this page http://localhost/TestRedirect/asdasdasd (which it doesnt exist) I'd like to get the CustomError.aspx page (where I'll evalutate the page and redirect to the right source).
But in fact I get the HTTP 404.0 - Not Found. Unfortunatly I can't use httpErrors (due to my hosting permission), but maybe I can do it with customErrors? Or any other suggesions would be appreciated...
Your request is not coming to ASP.Net engine. Your customErrors tag will work fine if you use the url like
http://localhost/TestRedirect/asdasdasd.aspx
What version of IIS your webhosting provider has?