Disable default configurations to prevent unauthorized access and information disclosure
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
app.UseRouting();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
}
The above code is a typical startup configuration for an ASP.NET Core application. The vulnerability in this code lies in the default route configuration in the
Configure
method.
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
Home
controller and the
Index
action. This is the server's default page. If this page contains technical information about the server, it can be accessed by an attacker.Home
controller's
Index
action returns a view that includes server details, an attacker could access these details simply by navigating to the base URL of your application.
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
// Custom error handling page
app.UseExceptionHandler("/CustomErrorPage");
}
app.UseStaticFiles();
app.UseRouting();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "custom",
pattern: "{controller=Custom}/{action=Index}/{id?}");
});
}
}
The above code fixes the vulnerability by disabling the default page and error handling page in the server configuration.
In the
Configure
method, the
UseExceptionHandler
method is updated to use a custom error handling page instead of the default one. This is done to prevent exposure of sensitive server information in error messages or responses.
The
UseEndpoints
method is also updated to use a custom route instead of the default one. This is done to prevent unauthorized access to the server's default page.
Remember to create the custom error handling page and the custom controller with its corresponding action method to handle the requests.
This way, we ensure that the server's default page is not enabled and that relevant technical information about the server is not exposed, thus fixing the vulnerability.