Asp.net Error Statuscode= 403
Contents |
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta asp.net mvc controller return 403 Discuss the workings and policies of this site About Us Learn
Httperrors Error Responsemode
more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us
Httperrors Web.config Example
Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 million programmers, just like
Iis Custom Error Page Not Working
you, helping each other. Join them; it only takes a minute: Sign up asp.net 403 response code not firing custom error up vote 0 down vote favorite I have a custom error set in my web.config like so:
is a serious security risk. What the?! You mean if I go to my website which has a “scripts” folder where I put all my JavaScript and I have directory c# throw 403 exception browsing disabled (as I rightly should) and the server returns a 403 “Forbidden” (which customerrors vs httperrors it rightly should), I’m putting my internet things at risks of being pwned?! Yes, because it discloses the presence of customerrors redirectmode a folder called “scripts” which is a common directory. Well of course there’s a bloody folder called “scripts”, all my HTML source which you can see references it! I could call it “i-love-drunken-elephants” and you http://stackoverflow.com/questions/22175799/asp-net-403-response-code-not-firing-custom-error could still see it so what’s the point?! But it would still return a 403 which would confirm the existence of the resource and pose a directory enumeration risk. But you can discover the presence of the directories anyway! Ok, in today’s modern apps like ASP.NET MVC they might actually be routes that don’t translate through into physical paths but still, this is just being pedantic! Your site can’t https://www.troyhunt.com/solving-tyranny-of-http-403-responses/ go live until you fix it. Uh, let me just fix that for you… Getting to grips with the underlying issue This is one of those things that rightly or wrongly, I’ve seen popping up from various security teams and automated scanners in recent times. You can argue it all you want (and the severity of it is contentious), but the fact that it rears its’ head and causes debate is enough to just fix the damn thing and be done with it. Oh – and incidentally, I ran a Netsparker over Have I been pwned? (HIBP) recently and this was one of the findings so yeah, it affects me too (although I have the luxury of choosing to ignore it if I like!) Let me show you why this happens: in the source of each page I have a script tag like this: This is actually using ASP.NET bundling and minification to combine multiple scripts into one and then squish all the JavaScript, but what it means is that it’s implying there is a path which is simply “/scripts”. If we hit that path we’ll get the following: Yes, I have custom errors configured for the app but they don’t catch the 403.1
pages, chances are your site is returning the incorrect HTTP status codes for the errors that your users are experiencing (hopefully as few as possible!). Sure, your users see a http://www.digitallycreated.net/Blog/57/getting-the-correct-http-status-codes-out-of-asp.net-custom-error-pages pretty error page just fine, but your users aren’t always flesh and blood. Search engine crawlers are also your users (in a sense), and they don’t care about the pretty pictures and funny one-liners on your error pages; they care about the HTTP status codes returned. For example, if a request for a page that was removed consistently returns a 404 status code, a search engine will asp.net error remove it from its index. However, if it doesn’t and instead returns the wrong error code, the search engine may leave the page in its index. This is what happens if your non-existent pages don't return the correct status code! Unfortunately, ASP.NET custom error pages don’t return the correct error codes. Here’s your typical ASP.NET custom error page configuration that goes into the Web.config: