tags:

views:

37

answers:

2
Q: 

ASP.NET Custom Errors vs. Compilation debug="false" and security

I keep reading that an ASP.NET based web site should have custom errors enabled in the web.config because exceptions will show a stack trace.

I may have a faulty memory (currently don't have access to an ASP.NET website under development), but I thought as long as Compilation debug="false" in the web.config file, then the stack trace will not be displayed.

Is my understanding correct about the debug flag and display of the stack trace? If so, then even if custom errors are not enabled, then won't the only message displayed to remote users for an exception be a the non-descriptive message:

"The page cannot be displayed because an internal server error has occurred."

If so then wouldn't it be OK, from a security perspective, to not display a custom error page for the exception?

+1  A: 

No, a stack trace will still be shown even if the debug flag is off, but it will not have line numbers for each call in the stack.

The non-descriptive message is what the browser usually shows instead of the actual error message from the server, unless you change the configuration. Anyone wanting to expose information by causing error messages would know how to do this.

Displaying the stack trace isn't a security risk in itself, but it does expose some information that could potentially make it easier to hack the site. A hacker might for example get a clue as to what's done to sanitase the input and find a way around it.

Guffa  2010-07-06 22:58:29
Then using one global custom error page, would be an improvement in terms of best practices, verses no custom error pages, correct?
harrije  2010-07-06 23:35:59
@harrije: Yes, it keeps the error message from leaking information, and it gives a better experience for users who happen to get an error message.
Guffa  2010-07-07 00:40:55
A: 

Custom error messages should almost always be prefered over the default error thrown. It gracefully sends your user to a location where they can keep browsing your site without having to go back and try again.

Turning DEBUGGING off in your web.Config is VERY important and goes beyond just not showing the line numbers and stack trace... it also tells the compiler to build in release mode which optimizes performance dramatically. As soon as your app goes to production, all debugging should be disabled.

rockinthesixstring  2010-07-06 23:49:03

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps