1

I am using IIS8 with MVC.NET website built on .net framework 4.5, Here as a part of security fix I am told to have the generic error message for all 403 status codes, This I was able to achieve using httpErrors tags from web.config file using "" entry. But there are some error which are thrown by http.sys which are still showing the system level errors instead of generic error. For example doing a GET request to url "http://abc.xyz.com/login/../../../../../../../admin.txt" is returning "HTTP Error 403. The request URL is forbidden." error while it should return the generic error message which is mentioned in my httpErrors tag.

To my surprise if I stop the website (Not IIS) still I am getting the same error which did confirm that the error is handleded at the low level APIs of IIS and not getting passed down to application layer hence any changes in web.config are not helping to fix this issue.

Could someone please shade some light on how to fix this issue ?

Thanks Ajay Sawant

ajay sawant
  • 11
  • 2
  • Read the Note, and some you simply could not handle, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753103(v=ws.10) – Lex Li Jul 31 '18 at 14:46
  • Thanks Lex, Notes in this article talks about 403.9 too many requests error but in my case this is pure 403 error also another comment talks about having a relative url in httpErrors config which is also true in my case. – ajay sawant Aug 01 '18 at 02:24

0 Answers0