9

We currently has a page that is used to display a generic error message when errors occur on our website. It has no functionality at all other than displaying a label that mentions there was an error.

Here is my issue, our client has ran a security review and tells us our error page contains phishing due to the URL in the query string, now I don't consider this a problem, but to put an end to the question, I'd like to remove the query string.

My web.config entry is this:

<customErrors mode="On" defaultRedirect="~/DefaultErrorPage.aspx">
</customErrors>

When an error occurs, it goes to DefaultErrorPage.aspx?aspxerrorpath=/Website1/LastPage.aspx

How can I prevent this? However, I could just redirect to the page if it contains the query, but I'm more looking for a way to prevent the query string instead of an extra redirection.

jaekie
  • 2,178
  • 4
  • 29
  • 48

3 Answers3

8

you could catch/handle all errors in your global.asax file instead and do the redirect there

    protected void Application_Error(object sender, EventArgs e)
    {
        //Exception ex = Server.GetLastError();

        Server.Transfer("~/DefaultErrorPage.aspx");
    }
jumpdart
  • 1,664
  • 14
  • 31
  • This will work... until Microsoft adds a =) – jaekie Jan 18 '11 at 16:43
  • Unfortunately this doesn't work if the error is in Application_Start. "Request is not available in this context" – Stefan Paul Noack Nov 02 '12 at 16:17
  • @noah1989 By "doesn't work" do you mean it still allows security auditors to think there's some kind of cross site scripting vulnerability? Or do you just need to use a different mechanism for diagnosing errors in that case? –  Aug 14 '13 at 14:40
  • @ebyrob: By "doesn't work" I mean that the application does not start at all. Which in most cases it totally OK if there is an Exception in Application_Start. But what I wanted to do is to provide at least a custom 503 "Service Unavailable" page. I solved this by catching the Exception in Application_Start, setting a global flag and using Server.Transfer in Begin_Request if the flag is set to deliver the 503 Page. – Stefan Paul Noack Aug 14 '13 at 15:02
  • @noah1989 full sample about it ? – Kiquenet May 24 '16 at 07:03
3

As a quick-fix, I've found that appending "?" onto the end of the defaultRedirect setting worked for me in removing the aspxerrorpath.

Also, I was getting the same issue with the customErrors settings in system.web, and the same solution worked:

<customErrors mode="On" defaultRedirect="~/SystemError.aspx">
   <error statusCode="403" redirect="~/Home.aspx?"/>
   <error statusCode="404" redirect="~/Home.aspx?"/>
</customErrors>

Alternatively, do the same on system.webServer settings:

<httpErrors errorMode="Custom">
   <remove statusCode="403" subStatusCode="-1" />
   <error statusCode="403" path="/Home.aspx?" responseMode="Redirect" />
   <remove statusCode="404" subStatusCode="-1" />
   <error statusCode="404" path="/Home.aspx?" responseMode="Redirect" /> 
</httpErrors>
Tom Austin
  • 31
  • 3
2

You are going to have to take control of the error handling process yourself. One method is get rid of the custom error redirect and use the Application_Error method in global. You can then direct the person, as needed without any query string argument.

Another option is ELMAH, which is designed to avoid the yellow screen of death errors in ASP.NET. You can then tailor a friendly error and not worry about writing error handling code, per se.

A third method is to educate the security team on how ASP.NET works and see if the "security concern" is legitimate (it may be) or not. This does not mean they won't make you do one of the above options anyway, of course.

Brad Christie
  • 96,086
  • 15
  • 143
  • 191
Gregory A Beamer
  • 16,342
  • 3
  • 23
  • 29
  • I'd love to use ELMAH, I use it on my home projects, but my clients restrict 99% of our 3rd party and 100% of open source 3rd parties – jaekie Jan 18 '11 at 16:41