Sending malicious characters in the GET request Like ' : In asp .NET MVC - asp.net-mvc-5

I have an error like
Ex :– Sending malicious characters in the GET request Like ' : In asp .NET MVC
I am getting this error
Server Error in '/' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL: /Sonar'
I need a solution like
create a custom error page for all exception conditions. So for any HTTP error codes that are not 200 OK, the custom page should be returned to the user rather than showing exception
conditions.
I was adding code in web.config file and create one error controller and add one view. how to redirect to all modules into one custom error page when I have enter malicious character.
customErrors mode="On" defaultRedirect="~/ErrorController/ErrorView"
<error redirect="~/ErrorController/ErrorView/400" statusCode="404"
<error redirect="~/ErrorController/ErrorView/500" statusCode="500"
customErrors
public class ErrorController : Controller
{
public ActionResult ErrorView(int id)
{
Viewbag.StatusCode=id;
return View();
}
}

Related

How to show custom error page instead of iis 403 error page?

my web.config :
<customErrors mode="Off" redirectMode="ResponseRewrite" defaultRedirect="~/Pages/Error/DefaultError.aspx">
<error statusCode="404" redirect="~/Pages/Error/Page404.aspx" />
<error statusCode="500" redirect="~/Pages/Error/DefaultError.aspx" />
</customErrors>
<httpErrors existingResponse="Replace" defaultResponseMode="ExecuteURL" errorMode="Custom"> //also used other options for existingResponse
<remove statusCode="403"/>
<error statusCode="403" path="~/Pages/Error/PI403.aspx" responseMode="ExecuteURL"/>
</httpErrors>
and here is my Application_error method in the global.asax.cs file:
Server.ClearError(); //clear the error so we can continue onwards
var errorPage = "~/Pages/Error/DefaultError.aspx";
var httpException = ex as HttpException;
if (httpException != null && httpException.GetHttpCode() == (int)HttpStatusCode.NotFound)
{
errorPage = "~/Pages/Error/Page404.aspx";
}
Response.Redirect(errorPage);
I have the Logs file in the project but this file uses just logging. If I use myURL/Logs browser link, I get IIS 403.14 error page. If I write myURL/asdeds, I get my custom error page (does not existing something like that in my project). Because the 403 exception does not trigger Application_Error. I want to show my custom error page for all exceptions. I should see my custom error page when I write myURL/Logs to URL part.
and also I set TrySkipIisCustomError property in the Application_BeginRequest
HttpContext.Current.Response.TrySkipIisCustomErrors = true;
Since the 403.14 - Forbidden error is the IIS error not the asp.net error. It use the StaticFile http handler not the asp.net http handler. So the Application_error will not be fired when you faced this error.
The only way to modify the custom error page is using IIS custom error page.
As Lex says, the IIS custom error page not support "~". It will auto match your web application root path. So you could use below config setting.
<httpErrors existingResponse="Replace" defaultResponseMode="ExecuteURL" errorMode="Custom"> //also used other options for existingResponse
<remove statusCode="403"/>
<error statusCode="403" path="/Pages/Error/PI403.aspx" responseMode="ExecuteURL"/>
</httpErrors>
Also you could open IIS mangement console and use UI window to modify the setting.
First you must go to IIS
select configuration editor like this:
In the page that opens, open section combo box and select httpErrors
In the page that opens, unlock defaultPath
Repeat steps 1, 2 and 3 for your application on IIS
Go to Error Pages of your application
Select 403 error and edit it. in the page of edit action you can select Respond with a 302 redirect and type custom error page address in Absolute URL text box.
Do not forget, this operation is performed on the server. Now if a request sent to the server (smp:https :// yoursite.com/scripts) And if you get error 302, the page you want will open.

Customize error 400 (Bad Request) avoid IIS-8 intercepting it

The request is intercepted by the IIS, and it never hits my application.
I want that my Error Handling to manage this error, not IIS. Is this possible?
I've tried many things, including these:
In my Web.config: <httpErrors errorMode="DetailedLocalOnly" existingResponse="PassThrough"></httpErrors>
Also this configuration:
<httpErrors errorMode="DetailedLocalOnly" existingResponse="PassThrough">
<remove statusCode="400"/>
<error statusCode="400" path="http://www.google.com" responseMode="Redirect"/>
</httpErrors>
From the MSDN (IIS 7, nothing on IIS 8 documentation):
You cannot customize the following HTTP error messages: 400, 403.9,
411, 414, 500, 500.11, 500.14, 500.15, 501, 503, and 505.
Here we can replicate the error:
https://stackoverflow.com/ + %%% (you should copy the entire link, with the invalid characters included).
It seems that you are out of luck with this as the following thread already shows: https://serverfault.com/questions/257680/properly-handle-iis-request-with-percent-sign-in-url
One possible solution is to handle this error code at your load balancer (which of course will not be IIS based).
See my answer to
Custom error page configured in IIS for code 400 (bad request) is ignored
in short the redirect with <httpErrors errorMode="Custom" ... works already also for HTTP 400 / bad request and one can customize it except for the errors blocked by the IIS Kernel (for example bad URL)
I am not sure about the version of IIS where it started working. I tested it on IIS 10.
The example https://stackoverflow.com/% still won't work, but
return new HttpStatusCodeResult(HttpStatusCode.BadRequest);
will work as expected (it won't be blocked from the IIS Kernel)

iisnode - IIS7.5: 405 Method not allowed when performing PUT request

I started to do some experimentation with iisnode and expressjs to create a REST like API with node.
So on the server.js I created something like
app.put("/test", function(req, res){
...
});
However, when I execute the PUT request I get a 405 Method not allowed from the IIS 7.5 installation.
Any idea on how to solve this?
BTW, I googled already and tried to add the PUT verbs here and there in the different Handler Mappings with no success...
I now finally found the solution to this problem namely the WebDavModule was blocking my PUT requests.
To resolve the issue:
Open your IIS Manager
Goto your application configuration and open "Modules"
Search WebDavModule and remove it (menu on the right)
It then worked for me.
Alternatively, in your application's web.config add
<system.webServer>
...
<modules>
<remove name="WebDAVModule"/>
</modules>
</system.webServer>
One reason may be that your web.config does not map the particular request you are making to the iisnode handler. In that case the request is picked up by the static request handler which does not support PUT methods and responds with a 405.
To fix this you need a iisnode handler registration like this in your web.config: https://github.com/tjanczuk/iisnode/blob/master/src/samples/helloworld/web.config#L7
In addition, if you plan to use URL that do not end with the name of your node.js file (like seems to be the case above), you will need to use a URL rewrite module to tell IIS exactly which requests should have their URLs rewritten to point to the URL of your node.js entry point. Read more at: http://tomasz.janczuk.org/2011/08/using-url-rewriting-with-nodejs.html

Custom errors not working with IISExpress

I have a asp.net mvc application and am trying to get custom errors working with IISExpress.
Works in Casini fine:
<customErrors mode="On" defaultRedirect="/error">
<error statusCode="404" redirect="/error/notfound"/>
</customErrors>
When I've deployed mvc sites to IIS (7.5) before, all I had to do get my custom errors working was to set:
<httpErrors errorMode="Detailed"/>
I've tried explicitly specifying the status codes within the httpErrors section but nothing works. Here's an example:
<httpErrors errorMode="Detailed" defaultResponseMode="Redirect">
<clear/>
<error statusCode="404" path="/error/notfound"/>
</httpErrors>
Any ideas?
Thanks
Ben
This was caused partly due to my misunderstanding of how custom errors are actually invoked and also the fact that (IMHO), the handling of errors in asp.net mvc is a bit messed up.
The first issue was that in a number of my action methods, I was checking for the existence of an object e.g. a blog post, and returning a HttpNotFoundResult if the blog post was null. I was under the assumption that this would then display the custom error page that I had set up for 404 errors.
However, this is not the case. Returning a HttpNotFoundResult simply sets the status code of the response to 404. The rest is then handled by IIS, displaying the IIS 404 error page or by your browser if it has it's own custom error page.
One solution here is to return a HttpException which will use your custom error pages since the request is be handled by asp.net.
I chose instead to create a new ActionResult that allowed me to specify a view along with a http status code. I preferred this to throwing exceptions.
The next issue was that by default a new MVC project has a greedy route defined. If you make a request to /foo/bar the default MvcHandler will look for a controller called Foo. When it can't find it, it will return 404.
I had removed the default route and had no greedy routes. This meant that urls not matching any of my routes would not be handled by asp.net and would just fall back to IIS.
The solution here was to create a wildcard route at the bottom of my routing configuration to match all other requests and forward them to a custom PageNotFound action, that sets the status code to 404 and displays my custom view.
Some things worth pointing out.
You will need to set httpErrors errorMode="Detailed" for your custom error pages to be displayed in IIS/IISExpress. The rest however can be left alone.
Setting the defaultRedirect path in the customErrors section has no effect on 500 errors. This is because the global HandleErrorAttribute handles all 500 errors and just looks for a view called "Error" to display. This means that if your custom error page is actually a controller action, it will not be invoked. The above is true even if you explicitly specify a 500 error page.
You should still keep the defaultRedirect path however, as it will be used for other status codes if they are not specified explicitly.
If you are using iisexpress you can just comment out the entire httpErrors section < !-- --> in the applicationhost.config and replace it with the following:
<httpErrors errorMode="Custom">
<error responseMode="Redirect" statusCode="404" path="../missing/index.php" />
</httpErrors>
path is the url path to your custom site specific page

IIS7 Hijacks My Coldfusion Error Page

In my exception handling file, I set a statuscode to 404 and then render n HTML page, for the error page (think fail-whale).
<cfheader statuscode="404" statustext="Application Exception">
<html><head><title>Error</title></head><body><h1>There was an error yo!</h1></body></html>
This is obviously over simplified, but just to make sure everything was demonstrated.
What I have found is that from a ASP.NET request, they can set a variable "Response.TrySkipIisCustomErrors=true" to keep IIS from showing its own error page.
How can someone in Coldfusion do it / how can I just tell IIS to stop its thinks it knows better than me shenanigans.
This might help:
<configuration>
<system.webServer>
<httpErrors existingResponse="PassThrough" />
</system.webServer>
</configuration>
For more information:
HTTP Errors (IIS.NET)
What to expect from IIS7 custom error module (IIS.NET)
If that doesn't work then you might try writing a .NET HttpModule to plug into the IIS request/response pipeline to set Response.TrySkipCustomErrors. Not ideal.
ASP.NET's worker request object calls an exported function called MgdSetStatusW. The problem here is that unless Coldfusion exposes this flag then you won't be able to set the value directly in CF.
Poking around with .NET Reflector I seen ASP.NET setting the response status using:
[DllImport("webengine4.dll", CharSet=CharSet.Unicode)]
internal static extern int MgdSetStatusW(IntPtr pRequestContext,
int dwStatusCode, int dwSubStatusCode, string pszReason,
string pszErrorDescription, bool fTrySkipCustomErrors);

Resources