I have an MVC application that is running on IIS. I have created a custom exception filter handler that returns a custom JSON object. When I run it locally everything works correctly.
However, when I deploy it to IIS the correct HTTP Status Code is returned, but instead of getting my custom JSON object, I am getting a plain text response that says "Bad Request" or "The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."
In my web config, I have added:
<customErrors mode="Off" />
and
<httpErrors>
<clear />
</httpErrors>
Any suggestions would be greatly appreciated.
Thanks!
I found the solution. I needed to add errorMode = "Detailed to my httpErrors tag.
<httpErrors errorMode="Detailed">
<clear />
</httpErrors>
Related
During the Pen Test, we received one vulnerability. Repro Steps was Change Host (let's say google.com) to different domain and then hit URL. Then following screen shown,
Here Version Information for dot net framework is showing. I weant through various atricals on internet and they are asking to used in web.config
This tag is already present in web.config and when we hit url without chaning Host it is showing error.aspx page but when we change Host it is showing attached page.In attached image Version Information is mentioned and I want to get rid of that.
Also on out testing envrionment,the version information is not shown with resource not found message. Is there any way to remove version information apart from customErrors tag. Please help me out. We are using IIS 10.
The tag you are already using in the web.config is probably the <customErrors> tag. and that's great for errors that can be caught at the .Net level.
But for errors that don't enter the .Net pipeline you will need to configure the IIS error page for the 404 error. This can be done via the <system.webServer><httpErrors> section of the web.config. For example to return the contents of my-iis-404-page.htm which you locate in the root directory of the website, you could use this:
<system.webServer>
<httpErrors errorMode="Custom" existingResponse="Auto">
<error statusCode="404" subStatusCode="" prefixLanguageFilePath="" path="my-iis-404-page.htm" responseMode="File" />
</httpErrors>
</system.webServer>
This configuration can also be done via the IIS gui. For more information about httpErrors aspect of IIS see https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httperrors/
If you want to remove the X-Aspnet-Version HTTP header from each response from ASP.NET, add the following code to the web.config file.
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
Hey i have an mvc app that i have published in my azure server. I get an error when i try it in the server. In localhost in works fine. But in the server i get an error that looks like this
So my question is how can i remove that custom error. I want to see the error message that explains what the error is about?
i want the error message to be like this one
check if you have this line this line in your web config system.web area
<customErrors mode="Off" />
if you do change it to off and if not add it in
You can use web.config transform file (such as Web.Debug.config or Web.Release.config) and include the following section:
<system.web>
<customErrors mode="Off" xdt:Transform="Insert" />
</system.web>
The Web.config file will be transformed when you deploy to Azure. The transform does not occur locally.
I have a MVC ASP.NET website in which I have the following on the web.config
<customErrors mode="On" defaultRedirect="~/Views/Shared/Error.cshtml">
<error statusCode="404" redirect="~/redir/Home/Http404" />
</customErrors>
So when I try to navigate to an address that does not exist I get my Http404 view located under Home which is correct.
Now I have a special situation in which I want to manually return the same Http 404 and I am seeing the IIS 8 error instead of my Http404 view.
Controller :
return new HttpNotFoundResult();
How to avoid this IIS8 error page, and still make my view the error provider?
EDIT*
I found out that if instead of HttpNotFoundResult() I use the old throw new HttpException(404, "HTTP/1.1 404 Not Found"); it works.
Why this difference ?
Thanks
The <customErrors> section is aimed to control the behavior when an Application Error occurs. That's also why it's defined under the <system.web> section.
When you explicitly throw an HttpException (or when any other internal exception occurs) the <customErrors> settings will be used as it's considered (rightfully) an application error.
On the other hand, when you simply return HttpNotFoundResult(), no application error is being thrown (internally, it just sets the HTTP response status code and message to 404) and the MvcHandler will hand over the request to the next handler in the pipeline. So you eventually end up with a regular Server Error that is handled by IIS just like any other '404 not found' request, and the <customErrors> section does not affect its behavior.
So, you need to control IIS behavior when regular server error occurs. To do this, use the <system.webServer/httpErrors> section as follows:
<system.webServer>
<httpErrors errorMode="Custom">
<remove statusCode="404"/>
<error statusCode="404" path="/redir/Home/Http404" responseMode="ExecuteURL" />
</httpErrors>
</system.webServer>
See Documentation
Ive got an interesting issue happening.The site is getting a bunch of the error messages from other sites (not my own):
Exception type: HttpRequestValidationException
Exception message: A potentially dangerous Request.Form value was detected from the client (comment="...er[/url] <a href="http://obey...").
Request path: /404_custom.aspx
The source host is not my server IP and the URL is from a completely different URL however it is ending up in my Event Viewer. Im assuming this is some kind of spambot that is causing issues - or potentially i have stumbled upon a problem with my IIS application.
We have the following in our web.config:
<httpErrors>
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" prefixLanguageFilePath="" path="/404_custom.aspx" responseMode="ExecuteURL" />
</httpErrors>
I understand that these errors are caused by corss-site scripting, but why would the host of the site be another site thats not my own? Could it do with the bindings set against the IIS application?
Does anyone know of why this would be happening? Is this caused by a spambot or some sort of attack? Anyone have any words of widsom?
My MVC3 application displays custom error pages for 403, 404, and 500 status codes, but browsing to trace.axd displays the following YSOD:
Server Error in '/' Application.
Trace Error
Description: Trace.axd is not enabled in the configuration file for this application. Note: Trace is never enabled when <deployment retail=true />
Details: To enable trace.axd, please create a <trace> tag within the configuration file located in the root directory of the current web application. This <trace> tag should then have its "enabled" attribute set to "true".
<configuration>
<system.web>
<trace enabled="true"/>
</system.web>
</configuration>
So I have trace disabled, which is good, but why is the 500 page not being displayed, since this it's a 403 being returned from the server? I'd be happy enough with a 404, 403, or 500 really - just as long as it's not an ugly yellow screen!
Edit: I was getting a 500 along with the YSOD when running on localhost, but it's actually a 403 on the server which is closer to what I was expecting - but still no custom error page. It's also a slightly different standard error page on the server:
Server Error in '/' Application.
Trace Error
Description: The current trace settings prevent trace.axd from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable trace.axd to be viewable on remote machines, please create a <trace> tag within the configuration file located in the root directory of the current web application. This <trace> tag should then have its "localOnly" attribute set to "false".
<configuration>
<system.web>
<trace localOnly="false"/>
</system.web>
</configuration>
Removing the IgnoreRoute as suggested by #Cosmologinaut didn't work for me and as he says feels wrong. I found a better solution which is to remove the tracing HTTP handler in the Web.config file:
<system.webServer>
<!-- remove TraceHandler-Integrated - Remove the tracing handlers so that navigating to /trace.axd gives us a
404 Not Found instead of 500 Internal Server Error. -->
<handlers>
<remove name="TraceHandler-Integrated" />
<remove name="TraceHandler-Integrated-4.0" />
</handlers>
</system.webServer>
Navigating to /trace.axd now gives us a 404 Not Found instead of 500 Internal Server Error.
Since there were no responses I asked #shanselman on Twitter, who suggested <deployment retail = "true" /> might solve it, but it still returned the same YSOD.
In the end I solved it by removing routes.IgnoreRoute("{resource}.axd/{*pathInfo}"); from the routing config. Doesn't quite seem right, but it works.