ASP.Net Custom Errors Disabled

Disabling custom error pages in ASP.NET applications can reveal detailed error information to end users, posing a security risk.

The custom error setting in an ASP.NET application determines what users see when an unhandled exception occurs. If customErrors mode is set to "Off", users will receive detailed error information that can be leveraged by malicious actors to identify vulnerabilities in the application.

Often, this detailed error display includes stack traces, configuration details, and possibly sensitive file locations.

An example of unsafe configuration:

In environments where customErrors is set to Off, the application will expose detailed error messages to end users, instead of offering a user-friendly and secure error page. This can aid attackers in reconnaissance and furthering their exploitation attempts.

To mitigate this risk, configure your ASP.NET application to use custom error pages by setting the customErrors mode to RemoteOnly or On. This way, detailed error information is only available locally to developers or administrators and not exposed to end users.