Disable ASP.NET server error pages in production environment - asp.net

I would like the following behavior in regards to error statuscode responses:
In JsonResult Actions (for AJAX postbacks), return custom body along with some error statuscode
For errors in other action methods, show IIS (custom) error page
For 404 errors, show IIS (custom) error page
In local environment: For errors in non-json action methods, and 404, show ASP.NET error page with stacktrace
If I set existingResponse=Replace in the httpErrors element in web.config, the IIS error pages override any response with an error-statuscode. That is I cannot return a custom json response.
If I set existingResponse=Auto I can return a custom json response by setting Response.TrySkipIisCustomErrors=true, but then the ASP.NET (custom) error pages are shown for any other error statuscode. That is, it never falls back to the IIS error pages. It seems that ASP.NET automatically sets the TrySkipIisCustomErrors on server errors, which I do not want.
Is there any way to achieve what I describe? I could possibly use the ASP.NET customErrors section instead, but I realize it also has disadvantages, as described here:
https://dusted.codes/demystifying-aspnet-mvc-5-error-pages-and-error-logging
One could use a combination of httpErrorsand customErrors, but the latter does no support ExecuteURL - only static error pages. That is unfortunate since I would like to make use of the master Layout.cshtml.
Any suggestions?

Related

Application_Error is not fired on 404 error

I use an Application_Error handler to log all unhandled exceptions; generally it works well, but 404 errors always are skipped. Any ideas what might be the reason?
Actually, that is because that's an http protocol error returned by your web server. It's not a .net framework exception and thus it can't be handled by asp.net. However, you can configure IIS to serve a custom page when it returns a 404 error and this can be done through your web.config file. Needless to say that this custom page could be an aspx page where you can add some custom processing such as logging the error ;)
404's are not always caused by exceptions. You can just set the Response.Status* fields to generate a 404 response.
Use Application_EndRequest to examine the response and act on it.

ASP.NET MVC: How to handle 400 bad request error when url end with %

I am trying to handle all HTTP errors to my custom error pages, but I find that when there is a % at the end of url, i cannot use config setting or code to handle it,
for example: http://localhost/abc%
the response is:
Bad Request - Invalid URL
HTTP Error 400. The request URL is invalid.
So, can we use config setting or c# code to handle this error request?
Who said not possible?
Response.TrySkipIisCustomErrors = true;
OR
<configuration>
<system.webServer>
<httpErrors existingResponse="PassThrough" />
</system.webServer>
</configuration>
original post
See this 4 part series for configuring custom error pages within IIS: http://www.dotnetscraps.com/dotnetscraps/post/Did-you-know-Enable-Custom-Error-in-IIS-7-75.aspx.
I personally prefer to use Application_Error event to log the errors and redirect user to custom error pages. Note that you need to use integrated pipe-line in IIS to catch all errors otherwise IIS will show its own error page for resources that are not served by ASP.NET.
EDIT:
Sorry for the wrong answer. I have XP machine currently that shows 404 for % sign so couldn't verify above. Searching over internet, I found that it's simply not possible to display custom error page for 400 status code. See this question from server fault for more information.

Why is the path "/C:badfile" sometimes not being caught by ASP.NET custom error handling?

I've got a bit of an odd situation that recently came up in a security scan and I'm having trouble explaining it. In short, the following URL always returns HTTP 400 and a YSOD:
http://www.mypal4me.com/C:badfile
This site is ASP.NET 4 and is hosted on MaximumASP under IIS7.5. This site is configured with custom errors turned ON and a default redirect page. This is evidenced by causing request validation to throw you off to the error page: http://www.mypal4me.com/?%3Cscript%3E
The only way we've found to send this request off to the custom error page is to add an <error statusCode="400" path="/error.htm" responseMode="ExecuteURL" /> entry under system.webServer.httpErrors in the web.config (obviously this hasn't been done on the site above but has on other MaximumASP sites).
So my question is twofold:
Why is this request not being caught by the usual .NET error handling and the custom error page served as a result?
Why do I only see this happen at MaximumASP - I can't reproduce an HTTP 400 with that pattern in any other IIS/ASP.NET environment.
http://msdn.microsoft.com/en-us/library/s57a598e.aspx
ASP.NET 4 also enables you to configure the characters that are used
by the URL character check. When ASP.NET finds an invalid character in
the path portion of a URL, it rejects the request and issues an HTTP
400 (Bad request) status code. In previous versions of ASP.NET, the
URL character checks were limited to a fixed set of characters. In
ASP.NET 4, you can customize the set of valid characters using the new
requestPathInvalidChars attribute of the httpRuntime configuration
element, as shown in the following example:
It's likely request filtering, specially it doesn't like the C: bit, fearing that it is a directory travesal attack of some sort. Many webhosts security settings will block suck a url.
A most likely guess at the the product in use is UrlScan, http://learn.iis.net/page.aspx/473/using-urlscan
Because this filtering runs at a much lower level in the call chain, the request itself is never passed to your asp.net application process (As many of the attacks that are mitigated are designed to trick IIS into returning files outside your application folder). Thus any application defined error routines won't see it, however an IIS error page (which is what your configuring via webc.config) will be triggered.

How to programmatically set Response.StatusCode different than 200 OK in ASP.NET Application and still serve content to client successfully?

Setting Response.StatusCode = 404 doesn't serve content under neither IE8 nor Chrome? It works in Mozilla though I find it strange!
Do the simplest of things - empty asp.net web application project with empty Default.aspx page. In Page_Load event use the following:
protected void Page_Load( object sender, EventArgs e )
{
Response.StatusCode = 404;
}
This effectively sets the status code of the current request to 404, no doubt about that. When rendering under IE8 or Chrome, or may be some other browsers as well - I haven't tested, the actual page doesn't show up at all. These browsers display their default 404 error pages (NOT default IIS custom errors). Example in IE8:
The webpage cannot be found
HTTP 404
Most likely causes:
•There might be a typing error in the address.
•If you clicked on a link, it may be out of date. ... and so on ...
What I really want to do though is to serve 404 error page with 404 error code which will actually tell the browser or the crawler or whoever that this page doesn't exist - not only to show some fancy custom error message with status message 200 OK.
Using fiddler shows that I am actually really serving the request, but the browser is totally ignoring it?!
My question - how can I set 404 status code and still render page content? Example - http://www.intel.com/invalidpage.wow. Using fiddler shows that this page is served with 404 status code.
By default IE will show it's custom error page if the response for the error is less than a configurable amount. I believe the amount is 512 bytes, but I will try to find some confirmation on this. So all you need to do is put more content in your response.
EDIT: This blog post describes the limits. One of the comments shows the registry key settings for changing these values. The key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\ErrorThresholds
You don't serve the content, you set a custom error page at the web server level (IIS) or in the web.config in the case of asp.net

Get long descriptions of http status codes in asp.net (IIS7)

I've set up a custom error page to handle errors thrown through my site.
I'm running asp.net 3.5 with IIS 7.0 on Godaddy shared hosting ("deluxe" account).
Normally, if I set Response.StatusCode = 412 the server outputs:
Server Error
412 - Precondition set by the client failed when evaluated on the Web server.
The request was not completed due to preconditions that are set in the request header.
Preconditions prevent the requested method from being applied to a resource other than the one intended. An example of a precondition is testing for expired content in the page cache of the client.
I already figured out how to prevent the server from automatically outputting the above message and instead execute my custom error page. What I'm stuck on now is figuring out how to access the long description of the error message.
Response.StatusDescription is "Precondition Failed" - which is expected...but is not really what I want.
Is there anyway to get the long description the server normally sends?
*Note that in order to prevent the default error message I had to set Response.TrySkipIisCustomErrors = true immediately after setting the Response.StatusCode to 412.
The long description is hard coded into 412.htm in this case. Since you have set up your own custom error page, this default supplied page is no longer used. This verbose message is not a part of the ASP.NET Response object.

Resources