CWE-12: ASP.NET Misconfiguration: Missing Custom Error Page
An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.
Last updated
Overview
CWE-12 (ASP.NET Misconfiguration: Missing Custom Error Page) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
The mode attribute of the tag defines whether custom or default error pages are used.
Real-world CVEs
1 recorded CVEs are caused by CWE-12 (ASP.NET Misconfiguration: Missing Custom Error Page). The highest-severity and most recent are shown first.
Common consequences
What can happen when CWE-12 is exploited.
Read Application Data
Affects: Confidentiality
Default error pages gives detailed information about the error that occurred, and should not be used in production environments. Attackers can leverage the additional information provided by a default error page to mount attacks targeted on the framework, database, or other resources used by the application.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.