Kindly find the link for error details. The background is that my users are running a web-based COTS product. Recently, the application went through a vulnerability assessment, and one of the issues found was related to the exposure of information via Stack Trace. Over at our end we tried the following: Assign an error page for error 400 via IIS and restarted IIS Ensure the following is correct and inside web.config: <trace enabled="false" localOnly="true"> Ensure the following is correct and inside web.config too: <customErrors mode="On" defaultRedirect="error.aspx" /> But the Stack Trace info still appear. I have no idea what else is causing the stack trace to still appear for that particular 400 error. The other errors were fine and catered for during the scan, with no stack trace information appearing. Anyone have any idea what else I can do? Is there a chance it's caused by the COTS application instead? Do note that my end goal is not to resolve 400 errors, but to hide/remove stack trace information for any error 400 occurrences.

Hi @GQ You can try to configure <requestFiltering> to DENY the verb TRACE. <requestFiltering> <verbs> <add verb="TRACE" allowed="false" /> </verbs> </requestFiltering> More information you can refer to this link: verbs . If the answer is helpful, please click "Accept Answer" and upvote it. Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Hide / Remove Stack Trace information

GQ 26

Kindly find the link for error details.

Error 400 Stack trace sample

The background is that my users are running a web-based COTS product. Recently, the application went through a vulnerability assessment, and one of the issues found was related to the exposure of information via Stack Trace. Over at our end we tried the following:

Assign an error page for error 400 via IIS and restarted IIS
Ensure the following is correct and inside web.config: <trace enabled="false" localOnly="true">
Ensure the following is correct and inside web.config too: <customErrors mode="On" defaultRedirect="error.aspx" />

But the Stack Trace info still appear. I have no idea what else is causing the stack trace to still appear for that particular 400 error. The other errors were fine and catered for during the scan, with no stack trace information appearing. Anyone have any idea what else I can do? Is there a chance it's caused by the COTS application instead?

Do note that my end goal is not to resolve 400 errors, but to hide/remove stack trace information for any error 400 occurrences.

Cheong00 3,476 Reputation points

2021-04-13T03:24:05.96+00:00

Stack trace is automatically inserted in Exception body to help you trace when caused the exception.

If you don't want to show it, direct "request with error" to custom error page.
GQ 26 Reputation points

2021-04-13T03:54:03.227+00:00

Hi Cheong00,

I have already performed a redirect: <customErrors mode="On" defaultRedirect="error.aspx" />
I believe I do not need to specify another individual page for error 400?
Cheong00 3,476 Reputation points

2021-04-13T09:32:17.133+00:00

Seems for .NET Core MVC, you'll need additional configuration in code.

If it's .NET MVC you may try to handle it in Global.asax.
GQ 26 Reputation points

2021-04-13T09:44:57.357+00:00

Hi Cheong,

My limitation is that it's a COTS product. Are you suggesting that the issue is with the application?
Cheong00 3,476 Reputation points

2021-04-14T01:27:57.703+00:00

If the application will leak implementation detail to public when it goes live, you can always treat the issue is with the application unless you explicitly requested this to be available, no matter it's fixable by changing config file or not.

Tell the vendor to log exceptions to log file/table and then write a reference number to that record in error message.

======

I'll also add that by looking closer to the error message, with the name of member "innererror" in the json returned, the stacktrace and the sort is artificially added by their code, not by default mechanism of .NET framework. Therefore no tweaking on config file will disable the stacktrace in error message (unless a switch supplied by that vendor).
GQ 26 Reputation points

2021-04-14T02:12:56.273+00:00

Good point. Let me check with the vendor on this again. Thanks for clarifying!
Narcis Vasilache 1 Reputation point

2023-07-04T13:48:13.0833333+00:00

Hi GQ, any solution for disabling stack trace after all? Thanks

1 answer

Sam Wu-MSFT 7,526 Reputation points Microsoft Vendor

2021-04-13T06:07:08.553+00:00
Hi @GQ

You can try to configure <requestFiltering> to DENY the verb TRACE.

<requestFiltering> <verbs> <add verb="TRACE" allowed="false" /> </verbs> </requestFiltering>

More information you can refer to this link: verbs.

If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
GQ 26 Reputation points

2021-04-13T06:28:53.25+00:00

Hi Sam,

As mentioned we already tried this at our end inside web.config file.

Sam Wu-MSFT 7,526 Reputation points Microsoft Vendor

2021-04-13T09:05:26.317+00:00

@GQ Sorry for not understanding your question, can you show me your web.config file?

GQ 26 Reputation points

2021-04-13T09:46:30.447+00:00

Hi Sam,

Unfortunately I am not able to provide the web.config file due to internal security policies.

I am quite sure these three are in place already, but they are not working:

Assign an error page for error 400 via IIS and restarted IIS

Ensure the following is correct and inside web.config: <trace enabled="false" localOnly="true">

Ensure the following is correct and inside web.config too: <customErrors mode="On" defaultRedirect="error.aspx" />

Sam Wu-MSFT 7,526 Reputation points Microsoft Vendor

2021-04-14T08:06:43.38+00:00

@GQ I re-edited my answer, hope this helps you.

GQ 26 Reputation points

2021-04-14T08:53:54.4+00:00

Hi Sam,

We are not trying to block incoming HTTP requests. We just want to remove/hide the stack trace information that would be exposed.

Sam Wu-MSFT 7,526 Reputation points Microsoft Vendor

2021-04-15T09:07:55.18+00:00

@GQ What project are you using? asp.net or others?

GQ 26 Reputation points

2021-04-15T09:35:05.203+00:00

Hi Sam,

As mentioned it's a COTS product. But it should be based on ASP.NET

Sam Wu-MSFT 7,526 Reputation points Microsoft Vendor

2021-04-30T09:07:53.89+00:00

Hi @GQ Have you tried to use code to hide Stack Trace information?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Hide / Remove Stack Trace information

1 answer

Your answer