ASP.NET Security Vulnerability Error Handling Project Part 1

Added note: A patch has been created. See Scott Guthrie's post here. 

After having read Scott Guthrie's post on ASP.NET Security Vulnerability, I decided to take my existing error handling code, update it with his suggested sleep delay, and put it into a separate VB.NET Visual Studio project to share with others.

In my project, you may optionally display the details of the error on the page if you update the code to set the debug flag to true, for instance, if the developer is logged in. I also send the error message and site specific details to the developer via email. That way, you will receive all error details, even though the user does not. Even after Microsoft releases a patch for this security vulnerability, this working project will still be valuable for generating your error messages and sending emails.

The complete project can be found in this NannetteThackerErrorHandling.zip file.

Through the years, I have borrowed from other's examples on the web. Thanks to Scott Mitchell for his HttpException handling retrieval. See more details of Gracefully Responding to Unhandled Exceptions - Displaying User-Friendly Error Pages and Gracefully Responding to Unhandled Exceptions - Processing Unhandled Exceptions and Displaying a Custom Error Page.

Web.Config

To use the code from this project, update the web.config settings to add your own values:

<appSettings>
<
add key="ErrorHandlingMailTo" value="yourmail@yourmail.com"/>
<
add key="MailFrom" value="yourmail@yourmail.com"/>
<
add key="MailHost" value="smtp.yourmail.com"/>
</
appSettings>

 Turn on customErrors:

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/Module/Admin/ErrorPages/Error.aspx">
</
customErrors>

And make sure you turn off the debugging prior to publishing:

<compilation debug="true" strict="false" explicit="true">  

MasterPage and Default

I created a simple MasterPage because I like my error screen to use the site's MasterPage. The Default page simply has two buttons for testing purposes. One generates a  Coding Error and the other generates a page not found error.

When running locally in debug mode, selecting the "Generate Coding Error" button will display an "InvalidCastException" error. Hit "F5" to continue. The error page will display without providing details of the error.

Click your BACK button and try the "Generate Page Not Found Error" button. Both display the same page and error.

To generate these errors, I simply create them on the button clicks:

Protected Sub btnCodingError_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnCodingError.Click
Dim this As String = "that"
Dim id As Integer = this
End Sub

Protected Sub btnPageNotFound_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnPageNotFound.Click
Response.Redirect(
"FakePage.html", False)
End Sub

Error Page 

On my Error.aspx page, I simply display a non-descript error message. I place a label for an optional errorMessage for the developer. 

<img src="<%=ResolveUrl("~/Module/Images/oops.jpg") %>" alt="Oops!" align="left" hspace="15" vspace="15" />
<br /><h2>Oops! Did I do that?</h2>
An unexpected error has occurred. The administrator has been notified.<br />
<br />
<asp:Label ID="errorMessage" runat="server" Text=""></asp:Label>

In my code-behind:

Option Strict On
Option
Explicit On
Imports
System.Security.Cryptography
Imports System.Threading

Partial Class Modules_ErrorPages_Error
Inherits System.Web.UI.Page Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load

Try

' http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
' add sleep delay

Dim delay As Byte() = New Byte(0) {}
Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()
prng.GetBytes(delay)
Thread.Sleep(
CType(delay(0), Integer))
Dim disposable As IDisposable = TryCast(prng, IDisposable)

If Not disposable Is Nothing Then
    disposable.Dispose()
End If

' email yourself error details...
' optionally add code to check if web administrator/developer is logged in, if so display on screen in errorMessage
' if not, just send the email...
' change debug to false prior to publishing...

Dim debug As Boolean = False
If debug Then
    errorMessage.Text = ErrorHandling.Application_Error(Server.GetLastError(), Request.RawUrl, User.Identity.Name)
Else
   
ErrorHandling.Application_Error(Server.GetLastError(), Request.RawUrl, User.Identity.Name)
End If
Catch ex As Exception
End Try
End Sub
End
Class

Notice if you turn on the debug flag, the error will be displayed to the screen:

 

 

 In ASP.NET Security Vulnerability Error Handling Project Part 2 of this post, I'll show the actual ErrorHandling class. In ASP.NET Security Vulnerability Error Handling Project Part 3 I'll show the SendMailMessage function.

The complete project can be found in this NannetteThackerErrorHandling.zip file.

May your dreams be in ASP.NET! 

Nannette Thacker

Shining Star Services LLC on LinkedIn

 

1 Comment

Comments have been disabled for this content.