Live Active security incident? Get immediate response
CWE Reference

CWE-12: ASP.NET Misconfiguration: Missing Custom Error Page

Official CWE-12 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.

Release 4.20weaknessDraft
Search CWE CWE Dictionary

Glexia's Take

CWE-12: ASP.NET Misconfiguration: Missing Custom Error Page

ASP.NET Misconfiguration: Missing Custom Error Page represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Executive Impact

  • Confidentiality: Read Application Data: Default error pages gives detailed information about the error that occurred, and should not be used in production environments. Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.

Developer Pattern

CWE-12 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.

Confidence

high confidence from CWE-12, 4.20.

Official CWE Definition

CWE-12: ASP.NET Misconfiguration: Missing Custom Error Page

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.

Type
weakness
Abstraction
Variant
Status
Draft
Source
MITRE CWE definition

Developer And Remediation Guidance

How teams prevent and detect this weakness

Causes

  • The mode attribute of the <customErrors> tag in the Web.config file defines whether custom or default error pages are used. In the following insecure ASP.NET application setting, custom error message mode is turned off. An ASP.NET error message with detailed stack trace and platform versions will be returned.,A more secure setting is to set the custom error message mode for remote users only. No defaultRedirect error page is specified. The local user on the web server will see a detailed stack trace. For remote users, an ASP.NET error message with the server customError configuration setting and the platform version will be returned.,Another secure option is to set the mode attribute of the <customErrors> tag to use a custom page as follows:

Remediation

  • System Configuration: Handle exceptions appropriately in source code. ASP .NET applications should be configured to use custom error pages instead of the framework default page.
  • Architecture and Design: Do not attempt to process an error or attempt to mask it.
  • Implementation: Verify return values are correct and do not supply sensitive information about the system.

Detection

  • Code review
  • SAST
  • DAST
  • Focused regression tests

Mappings

Related CVEs, CWEs, and ATT&CK context

Related CWEs

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

Open CWE CVE mapping

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.