Several weeks ago one of my legacy web applications written in Classic ASP underwent a security scan/evaluation. The report indicated that the application contains server error response vulnerability. I had already configured the IIS to redirect the HTTP 500 - Internal Server Error to the custom error page. The users are seeing the custom error page instead of error details. So, what are we missing here? We start to debug the application by using Fiddler and found out that the application was returning status code 500 instead of 200.
The report indicates that this exposure will allow the attacker to distinguish between valid and invalid request attempts. After spending some time researching for the solution, I found this article "How Web site administrators can troubleshoot an "HTTP 500 - Internal Server Error" error message on IIS 4.0 or on IIS 5.0"". The solution is to add the following line on top of the custom error page.
Response.Status ="200 OK"
The first line will erases any buffered HTML output and ensure that the page is displaying a clean error page. The second line specifies the value of the status line returned by the server. Load the page that throw HTTP 500 - Internal Server Error again, and we should see the result similar to figure 2.
If your website is being audited and come across this sort of situation, this could be one of the solutions. Hope someone will find this information useful.