Fluid Attacks Database

Description

Detects when custom error handling is disabled in .NET web applications through configuration files. When custom errors are set to "Off", detailed error messages may be shown to end users, potentially exposing sensitive system information, stack traces, or internal application details that could aid attackers.

Weakness:

239 - Technical information leak - Errors

Category: Information Collection

Detection Strategy

• Scans web.config files for system.web configuration sections

• Identifies customerrors tags with mode attribute set to 'Off'

• Reports vulnerability when custom error handling is explicitly disabled through mode='Off' setting

• Checks specifically for .NET configuration files containing <system.web><customerrors mode="Off"> pattern

Vulnerable code example

<!-- web.config -->
<configuration>
    <system.web>
        <customErrors mode="Off"/>  <!-- Vulnerable: Disables custom error pages, exposing detailed error info -->
    </system.web>
</configuration>

✅ Secure code example

<!-- web.config -->
<configuration>
    <system.web>
        <customErrors mode="On"/>  <!-- Secure: Enables custom error pages to prevent information disclosure -->
    </system.web>
</configuration>

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.