ASP.NET Security Vulnerability Error Handling Project Part 1

Tuesday, September 21, 2010

Added note: A patch has been created. See Scott Guthrie's post here.

After having read Scott Guthrie's post on ASP.NET Security Vulnerability, I decided to take my existing error handling code, update it with his suggested sleep delay, and put it into a separate VB.NET Visual Studio project to share with others.

In my project, you may optionally display the details of the error on the page if you update the code to set the debug flag to true, for instance, if the developer is logged in. I also send the error message and site specific details to the developer via email. That way, you will receive all error details, even though the user does not. Even after Microsoft releases a patch for this security vulnerability, this working project will still be valuable for generating your error messages and sending emails.

The complete project can be found in this NannetteThackerErrorHandling.zip file.

Through the years, I have borrowed from other's examples on the web. Thanks to Scott Mitchell for his HttpException handling retrieval. See more details of Gracefully Responding to Unhandled Exceptions - Displaying User-Friendly Error Pages and Gracefully Responding to Unhandled Exceptions - Processing Unhandled Exceptions and Displaying a Custom Error Page.

Web.Config

To use the code from this project, update the web.config settings to add your own values:

Turn on customErrors:

And make sure you turn off the debugging prior to publishing:

MasterPage and Default

I created a simple MasterPage because I like my error screen to use the site's MasterPage. The Default page simply has two buttons for testing purposes. One generates a Coding Error and the other generates a page not found error.

When running locally in debug mode, selecting the "Generate Coding Error" button will display an "InvalidCastException" error. Hit "F5" to continue. The error page will display without providing details of the error.

Click your BACK button and try the "Generate Page Not Found Error" button. Both display the same page and error.

To generate these errors, I simply create them on the button clicks:

Protected Sub btnCodingError_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnCodingError.Click
Dim this As String = "that"
Dim id As Integer = this
End Sub

Protected Sub btnPageNotFound_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnPageNotFound.Click
Response.Redirect("FakePage.html", False)
End Sub

Error Page

On my Error.aspx page, I simply display a non-descript error message. I place a label for an optional errorMessage for the developer.

<img src="<%=ResolveUrl("~/Module/Images/oops.jpg") %>" alt="Oops!" align="left" hspace="15" vspace="15" />
<br /><h2>Oops! Did I do that?</h2>
An unexpected error has occurred. The administrator has been notified.<br />
<br />
<asp:Label ID="errorMessage" runat="server" Text=""></asp:Label>

In my code-behind:

Option Strict On
Option Explicit On
Imports System.Security.Cryptography
Imports System.Threading

Partial Class Modules_ErrorPages_Error
Inherits System.Web.UI.Page Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load

Try

' http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
' add sleep delay

Dim delay As Byte() = New Byte(0) {}
Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()
prng.GetBytes(delay)
Thread.Sleep(CType(delay(0), Integer))
Dim disposable As IDisposable = TryCast(prng, IDisposable)

If Not disposable Is Nothing Then
disposable.Dispose()
End If

' email yourself error details...
' optionally add code to check if web administrator/developer is logged in, if so display on screen in errorMessage
' if not, just send the email...
' change debug to false prior to publishing...

Dim debug As Boolean = False
If debug Then
errorMessage.Text = ErrorHandling.Application_Error(Server.GetLastError(), Request.RawUrl, User.Identity.Name)
Else
ErrorHandling.Application_Error(Server.GetLastError(), Request.RawUrl, User.Identity.Name)
End If
Catch ex As Exception
End Try
End Sub
End Class