Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to stop a 500 .net error created calling the 500 error page

Tags:

asp.net

iis

Here's an interesting one for you.

I've got my custom 500.aspx setup which is called when a 500 error occurs in my application. The 500.aspx also sends me an email with the error details.

I've noticed one small problem.

If you attempt an xss attack on the 500.aspx itself, the 500 page is not called.

This is obviously some sort of logic issue.

In fact, microsoft themselves suffer from the same issue.

See it in action here

http://www.microsoft.com/500.aspx?aspxerrorpath=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

How can I prevent this?

Ed

like image 652
Colm Troy Avatar asked Jan 30 '09 11:01

Colm Troy


1 Answers

If you attempt an xss attack on any page, the custom error page will not be called (here's another random page on Microsoft.com with xss in the querystring).

The behavior appears to be intentional to stop the attack dead in its tracks. Even the error message indicates this behavior:

Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted.

The only workaround appears to be to disable validation or to capture and handle the error in your global on Application_Error.

like image 184
Chris Van Opstal Avatar answered Nov 23 '22 18:11

Chris Van Opstal