Missing global error handler¶
ID: cs/web/missing-global-error-handler
Kind: problem
Security severity: 7.5
Severity: warning
Precision: high
Tags:
- security
- external/cwe/cwe-12
- external/cwe/cwe-248
Query suites:
- csharp-code-scanning.qls
- csharp-security-extended.qls
- csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
Web.config files that set the customErrors mode to Off and do not provide an Application_Error method in the global.asax.cs file rely on the default error pages, which leak information such as stack traces.
Recommendation¶
Set the customErrors to On to prevent the default error page from being displayed, or to RemoteOnly to only show the default error page when the application is accessed locally. Alternatively, provide an implementation of the Application_Error method in the global.asax.cs page.
Example¶
The following example shows a Web.config file in which the custom errors mode has been set to Off.
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<customErrors mode="Off">
...
</customErrors>
</system.web>
</configuration>
This can be fixed either by specifying a different mode, such as On, in the Web.config file:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<customErrors mode="On">
...
</customErrors>
</system.web>
</configuration>
or by defining an Application_Error method in the global.asax.cs file:
using System;
using System.Web;
namespace WebApp
{
public class Global : HttpApplication
{
void Application_Error(object sender, EventArgs e)
{
// Handle errors here
}
}
}