CWE-12
ASP.NET Misconfiguration: Missing Custom Error Page
Draft
2006-07-19
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: ASP.NET Misconfiguration: Missing Custom Error Page
An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.
Informations générales
Informations de base
Modes d'introduction
ImplementationOperation
Plateformes applicables
Langue
Name: ASP.NET (Undetermined)Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Confidentiality | Read Application Data Note: Default error pages gives detailed information about the error that occurred, and should not be used in production environments. Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application. |
Mesures d’atténuation potentielles
Phases : System ConfigurationHandle exceptions appropriately in source code. ASP .NET applications should be configured to use custom error pages instead of the framework default page.
Phases : Architecture and Design
Do not attempt to process an error or attempt to mask it.
Phases : Implementation
Verify return values are correct and do not supply sensitive information about the system.
Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Références
REF-6
Seven Pernicious Kingdoms: A Taxonomy of Software Security ErrorsKatrina Tsipenyuk, Brian Chess, Gary McGraw.
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
REF-65
19 Deadly Sins of Software SecurityM. Howard, D. LeBlanc, J. Viega.
REF-66
ASP.NET Misconfiguration: Missing Custom Error HandlingOWASP, Fortify Software.
https://www.owasp.org/index.php/ASP.NET_Misconfiguration:_Missing_Custom_Error_Handling
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| 7 Pernicious Kingdoms | Draft 3 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| Eric Dalci | Cigital | updated References, Demonstrative_Example, Potential_Mitigations, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Relationships, Other_Notes, References, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Common_Consequences, Other_Notes, Potential_Mitigations | |
| CWE Content Team | MITRE | updated Name, Relationships | |
| CWE Content Team | MITRE | updated Background_Details, Common_Consequences, Other_Notes | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Potential_Mitigations, References, Relationships | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Weakness_Ordinalities |
