One of my web applications went through some sort of security scan and come back with "Server error response vulnerabilities". I checked the web.config file and confirm that the following line exists.
<customErrors mode="On" defaultRedirect="~/error.aspx">
When I navigate to "http://localhost/pagenotfound.aspx", I see the custom error page as expected. But when I navigate to "http://localhost/pagenotfound.haha", I see the following response headers through Fiddler.
HTTP/1.1 404 Object Not Found
Date: Tue, 18 Jan 2011 03:42:36 GMT
According to the scan report, it is a best practice not to reveal the exact error message or hint to the attacker but display a generic error message page. Here are the steps to implement it. If you have IIS 6.0,
1. Right click the website, select Properties
2. Click on the Custom Errors tab
3. Scroll down the list and look for the HTTP Error 404, see figure 1
4. Double click the HTTP Error 404 and you should see a popup window like the one in figure 2.
5. Select URL from the Message Type, and type in the URL to the generic error message page.
Now, navigate to "http://localhost/pagenotfound.haha" and you should see the custom error page instead of page not found error.
If you have IIS 7/7.5
1. Click on the Error Pages under IIS section, see figure 3
2. Click on the Edit Feature Settings…
3. You should see the windows similar to figure 4
If you don't have access to IIS or your web application is hosted on a hosting company, contact them and request to enable Remote IIS Manager for your domain.
To download and install the IIS 7.0 Manager, use one of the following links:
For X86 processor systems: http://iis.net/downloads/default.aspx?tabid=34&g=6&i=1626
For X64 processor systems: http://iis.net/downloads/default.aspx?tabid=34&g=6&i=1633
Once you have it installed, click on File and then Connect to a Site… You should see a window similar to figure 5. Insert the server name or URL (yourdomain.com) and give your site a name (my new domain).