Preventing an error 403 ever reaching the client

I was put in the strange position of preventing an ASP.net web application sending an error HTTP 403 to the client.  This was following 'security recommendations from the experts' that an error 403 confirms to an attacker that they have identified a part of the file structure.

Anyway this is how I managed to do it:

Add an Application_Error method to Global.asax which directs the user to a known page:

protected void Application_Error(object sender, EventArgs e)

            {

           

                Response.Redirect("Default.aspx");

           

}

and configure IIS custom error page to direct to a non-existing page,  this will show in the logs so choose something like /AttemptToAccess403.aspx.

When the server encounters a 403 it will look up the non-existing page which will cause an error in the application.  This is caught via the Application_Error method and will direct the user to a valid page (Default.aspx).  To the user this is invisible, however the server has logged the attempt to access a directory structure (403) as an attempt to access page /AttemptToAccess403.aspx and an error 403 is never propogated to the client and hence satisfies the security requirement.

Headers returned to the client:

(before)

HTTP/1.x 301 Moved Permanently

HTTP/1.x 302 Found

(after)

HTTP/1.x 200 OK

HTTP/1.x 200 OK

As for the initial 'security' concern....

ASP Menu bug in IE8 and Chrome

Well it turns out there is a bug in the ASP Menu control that stops the dynamic part of the menu rendering when the user rolls their mouse over a static part of the menu.

It appears the problem is to do with the way the control checks if the browser has javascript enabled, and it decides both IE 8 and Chrome don't, hence nothing is shown to the user.

The only work arounds I've come across are:

• Don't use the thing
• Put IE8 into compatibility mode (or download this hotfix)
• Use this nasty hack around

Obviously we cannot expect our users to have to follow special procedures to view our site, and with the only other solution being a hack, we'd rather go with something else completely...