Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
In Scott Guthries blog on the ASP.NET Security vulnerability noted here he says that for ASP.NET 3.5 SP1+ the following attribute should be set in the custom errors section
redirectMode="ResponseRewrite"
What is the significance of this in relation to the vulnerability and why only 3.5 SP1 and above?
The ResponseRedirect gives to the attacker the information for the time to take to give the redirect header.
The ResponseRewrite did not return redirect header, so the attacker did not know this time.
Attacker can use this delay time to find what kind of error is, for that reason Scott give an error.aspx page example with a random delay. If you not use the ResponceRewrite then this delay is pointless.
Why only 3.5 SP1 and above because is not exist on previous version.s