CWE-12 Detail

CWE-12

ASP.NET Misconfiguration: Missing Custom Error Page
Draft
2006-07-19
00h00 +00:00
2023-06-29
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: ASP.NET Misconfiguration: Missing Custom Error Page

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.

General Informations

Background Details

The mode attribute of the tag defines whether custom or default error pages are used.

Modes Of Introduction

Implementation
Operation

Applicable Platforms

Language

Name: ASP.NET (Undetermined)

Common Consequences

Scope Impact Likelihood
ConfidentialityRead Application Data

Note: Default error pages gives detailed information about the error that occurred, and should not be used in production environments. Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.

Potential Mitigations

Phases : System Configuration
Handle exceptions appropriately in source code. ASP .NET applications should be configured to use custom error pages instead of the framework default page.
Phases : Architecture and Design
Do not attempt to process an error or attempt to mask it.
Phases : Implementation
Verify return values are correct and do not supply sensitive information about the system.

Vulnerability Mapping Notes

Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

References

REF-6

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, Gary McGraw.
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

REF-65

19 Deadly Sins of Software Security
M. Howard, D. LeBlanc, J. Viega.

REF-66

ASP.NET Misconfiguration: Missing Custom Error Handling
OWASP, Fortify Software.
http://www.owasp.org/index.php/ASP.NET_Misconfiguration:_Missing_Custom_Error_Handling

Submission

Name Organization Date Date release Version
7 Pernicious Kingdoms 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Name Organization Date Comment
Eric Dalci Cigital 2008-07-01 +00:00 updated References, Demonstrative_Example, Potential_Mitigations, Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Other_Notes, References, Taxonomy_Mappings
CWE Content Team MITRE 2008-10-14 +00:00 updated Relationships
CWE Content Team MITRE 2008-11-24 +00:00 updated Common_Consequences, Other_Notes, Potential_Mitigations
CWE Content Team MITRE 2009-03-10 +00:00 updated Name, Relationships
CWE Content Team MITRE 2009-07-27 +00:00 updated Background_Details, Common_Consequences, Other_Notes
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-06-27 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Demonstrative_Examples, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2013-02-21 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Demonstrative_Examples, Potential_Mitigations, References, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes