All geek questions in one place

How to suppress error messages when trying to access non-existent web methods of .asmx web service

We have a client that uses HP Web Inspect to test vulnerabilities in our software.

Checker web pages complains of error messages returned by the query, such as the following: http://host/application/WebService.asmx/MethodDoesNotExist.

The ASP.Net structure returns a page with the following text content and status code 500.

System.IndexOutOfRangeException: Index was outside the bounds of the array.

FYI: if user errors are disabled in web.config, we also get a stack trace - for example,

    System.IndexOutOfRangeException: Index was outside the bounds of the array.
       at System.Web.Services.Protocols.HttpServerType..ctor(Type type)
       at System.Web.Services.Protocols.HttpServerProtocol.Initialize()
       at System.Web.Services.Protocols.ServerProtocol.SetContext(Type type, HttpContext context, HttpRequest request, HttpResponse response)
       at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type, HttpContext context, HttpRequest request, HttpResponse response, Boolean& abortProcessing)

Now the verification tool treats this result as a security vulnerability, because the page has a status code of 500 (therefore, the server acknowledged that an error has occurred), and the error message looks like there may be a leak of information about the internal operation of the software. Best practice is always to display a generic, non-standard error message.

The problem is that I do not seem to be controlling this error message - it is generated by the framework, and the Application_Error code does not start.

The .asmx code looks something like this.

    [WebService(Namespace = "http://tempuri.org/")]
    [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
    [ScriptService]
    public class FooService 
    {
        [WebMethod(true)]
        [ScriptMethod]
        public string Bar(int fooParam)
        {
            return "Hello";
        }
    }

, ?
, ASP.Net , -. , - , , , ?

IIS 6 (Windows 2003) ASP.Net 3.5

500 IIS, !

- :

   <httpErrors errorMode="Custom">
        <remove statusCode="500" subStatusCode="-1" />
        <error statusCode="500" prefixLanguageFilePath="" path="/application/http500.htm" responseMode="ExecuteURL" />
    </httpErrors>

  <customErrors defaultRedirect="~/ErrorPages/GeneralError.aspx" mode="On">
        <error redirect="500.htm" statusCode="500" />
   </customErrors>

, -, , .

+3

Source: https://habr.com/ru/post/1780468/

More articles:


All Articles