This is my personal blog. The views expressed on these pages are mine alone and not those of my employer.

Monday, 14 December 2009

Preventing an error 403 ever reaching the client

I was put in the strange position of preventing an ASP.net web application sending an error HTTP 403 to the client.  This was following 'security recommendations from the experts' that an error 403 confirms to an attacker that they have identified a part of the file structure.

Anyway this is how I managed to do it.

Add an Application_Error method to Global.asax which directs the user to a known page:

   1:  protected void Application_Error(object sender, EventArgs e)
   2:              {
   3:              
   4:                  Response.Redirect("Default.aspx");
   5:              
   6:  }

and configure IIS custom error page to direct to a non-existing page,  this will show in the logs so choose something like /AttemptToAccess403.aspx.

When the server encounters a 403 it will look up the non-existing page which will cause an error in the application.  This is caught via the Application_Error method and will direct the user to a valid page (Default.aspx).  To the user this is invisible, however the server has logged the attempt to access a directory structure (403) as an attempt to access page /AttemptToAccess403.aspx and an error 403 is never propogated to the client and hence satisfies the security requirement.

Headers returned to the client:

(before)
HTTP/1.x 301 Moved Permanently
HTTP/1.x 302 Found

(after)


HTTP/1.x 200 OK
HTTP/1.x 200 OK

As for the initial 'security' concern....


No comments:

Post a Comment