.NET Daily

Featured

Passive Security Tip: Error HTTP 403

Posted on .

Passive Security Tip: Error HTTP 403

Introduction

Usually the error HTTP 403 is triggered when the directory browsing is disabled in IIS and the user tries to access a specific directory with forbidden access from the website structure.
An attacker can use the HTTP 403 error to map your website directories in order for him to discover sensitive information for an attack.

Remedy

Always display custom errors in case of an exception and provide a generic text for 404 and 403 errors because this way the attacker will not identify what code the error had.

<httpErrors errorMode="Custom" existingResponse="Replace">
	<remove statusCode="404" subStatusCode="-1" />
	<remove statusCode="403" subStatusCode="-1" />
	<error statusCode="404" path="/Error.aspx" responseMode="ExecuteURL"/>
	<error statusCode="403" path="/Error.aspx" responseMode="ExecuteURL"/>
</httpErrors>
Darius

Darius

Darius Dumitrescu is a creative Senior CMS Consultant with in depth .NET knowledge, focused on Web Development and Architecture Design.

There are no comments.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

View Comments (0) ...
Navigation