This is my personal blog. The views expressed on these pages are mine alone and not those of my employer.

Monday, 14 December 2009

Preventing an error 403 ever reaching the client

I was put in the strange position of preventing an ASP.net web application sending an error HTTP 403 to the client.  This was following 'security recommendations from the experts' that an error 403 confirms to an attacker that they have identified a part of the file structure.

Anyway this is how I managed to do it.

Add an Application_Error method to Global.asax which directs the user to a known page:

   1:  protected void Application_Error(object sender, EventArgs e)
   2:              {
   3:              
   4:                  Response.Redirect("Default.aspx");
   5:              
   6:  }

and configure IIS custom error page to direct to a non-existing page,  this will show in the logs so choose something like /AttemptToAccess403.aspx.

When the server encounters a 403 it will look up the non-existing page which will cause an error in the application.  This is caught via the Application_Error method and will direct the user to a valid page (Default.aspx).  To the user this is invisible, however the server has logged the attempt to access a directory structure (403) as an attempt to access page /AttemptToAccess403.aspx and an error 403 is never propogated to the client and hence satisfies the security requirement.

Headers returned to the client:

(before)
HTTP/1.x 301 Moved Permanently
HTTP/1.x 302 Found

(after)


HTTP/1.x 200 OK
HTTP/1.x 200 OK

As for the initial 'security' concern....


Thursday, 3 December 2009

ASP Menu bug in IE8 and Chrome

Well it turns out there is a bug in the ASP Menu control that stops the dynamic part of the menu rendering when the user rolls their mouse over a static part of the menu.

It appears the problem is to do with the way the control checks if the browser has javascript enabled, and it decides both IE 8 and Chrome don't, hence nothing is shown to the user.

The only work arounds I've come across are:

Obviously we cannot expect our users to have to follow special procedures to view our site, and with the only other solution being a hack, we'd rather go with something else completely...