How to tell IIS not to return http 500 error and show custom page

Question

User706407582 posted

Hi

I have a ASP.NET (4.6.2) website that is getting scanned by a tool called "Hailstorm" for checking vulnerability .

I have below Queries ->
Query 1 ->
As per this tool, if there is any unhandled error in the application which is 500, application should not show this 500 error, since it has many details which will help attacker with server directories, absolute path information.
So I am trying to achieve 2 things ->
Tell IIS not to return 500 error
For any unhandled error, show custom page.

Below are 2 approaches I am trying , can you please tell which approach will help me to achive above?
Approach 1 -> global exception handling. Make custom errors mode on and show detault as well as customized error. will this  stop IIS from trturning 500 ?

<customErrors mode="On" defaultRedirect="Error.html" >

<error statusCode="403" redirect="Error.html"/>

<error statusCode="404" redirect="Error404.html"/>

<error statusCode="400" redirect="Error404.html"/>

<error statusCode="500" redirect="Error500.html"/>

</customErrors>

Approach 2 ->  redirection based on error status code  using httpError tag

<system.webServer>

<httpErrors errorMode="Custom" existingResponse="Replace">

<remove statusCode="404"/>

<remove statusCode="500"/>

<remove statusCode="403"/>

<error statusCode="400" responseMode="ExecuteURL" path="/Error400.html"/>

<error statusCode="404" responseMode="ExecuteURL" path="/Error404.html"/>

<error statusCode="500" responseMode="ExecuteURL" path="/Error500.html"/>

<error statusCode="403" responseMode="ExecuteURL" path="/Error400.html"/>

</httpErrors>

</system.webServer>

Currently this approach is working locally only. Its NOT working on Deployed site, I am gettng below error ->
The webpage cannot be found.This error (HTTP 404 Not Found) means that Internet Explorer was able to connect to the website, but the page you
wanted was not found. It’s possible that the webpage is temporarily unavailable. Alternatively, the website might have changed or removed the
webpage.
Any suggestions how to fix it? Quick help will be appreciated ?

Approach 3 -> Do we have any better , easier and quicker to fix approach for this ?

Query 2 ->
If ASP.NET code has unhandled exception, how is the error propogation ? I am getting confsued with what comes first ?
Application_Error event OR IIS exception ?
If someone can explain this shortly, I will be able to understand where should set my Httpresponse to non http error code or something.
Basically i want to understand component wise flow execution in case application exception.

Please let me know. Also it will great if you can suggest what needs to be done to fix Approach 2 on deployed site (its working locally but not in IIS)

Regards

Sarang

Thank you.

Answer 1

User283571144 posted

Hi sarang1183,

As far as I know, The customErrors attribute is used when the .net code is throwing an exception (404, 403, 500 etc) and the httpErrors attribute is used when IIS itself is throwing an exception.This will come first.

If your web.config setting is wrong, it will not use customErrors's error page, it will use IIS exception page(httpErrors).

For example:

/myfakeextensionslessurl --> httpErrors 404
/myfakeaspsx.aspx --> customErrors 404
/myfakeimage.jpg --> httpErrors 404
/throw500.apx --> customErrors 500
/throw500 --> customErrors 500

Normally, we will enable both customErrors page and httpErrors, since they handle different error.

The webpage cannot be found.This error (HTTP 404 Not Found) means that Internet Explorer was able to connect to the website, but the page you
wanted was not found. It’s possible that the webpage is temporarily unavailable. Alternatively, the website might have changed or removed the
webpage.

This Error means the server couldn't find the error page in your application.

I suggest you could firstly check your application on the deployed server to make sure the error html page is exists on the root path.

Best Regards,

Brando

Answer 2

User706407582 posted

Hi Brando

Thanks for your reply.  I am getting below error only on deployed site, not in local solution. My file path structure is correct.

The webpage cannot be found.This error (HTTP 404 Not Found) means that Internet Explorer was able to connect to the website, but the page you
wanted was not found. It’s possible that the webpage is temporarily unavailable. Alternatively, the website might have changed or removed the
webpage.

My Web.config and the error pages put  in <httperrors> are on same level. Still I am getting error.

Can this be any permission issue ? Can you please suggest where should be error page and web.config ? I can try that hierarchy.

Answer 3

User283571144 posted

Hi sarang1183,

Can this be any permission issue ? Can you please suggest where should be error page and web.config ? I can try that hierarchy.

The permission error is 401 or 403 not 404 error. 

Could you please share your deployed site's composition? Do you host it on the iis? Does your site contain the virtual directory?

You should make sure the error html page is at the root path of your deployed site's  application. 

Best Regards,

Brando

Answer 4

User706407582 posted

Thanks everyone for your replies.

I had to go to each exception blocks and throw my own exception as per requirement.