|
|
|
|
|
|
by troyhunt
4785 days ago
|
|
|
What it shows is that the server is not configured to return a custom error page when an exception occurs. Beyond the obvious usability issue, this may be used by an attacker to identify sites that leak internal information. It's not a vulnerability per se, but it's a gateway to helping find them. More info: https://asafaweb.com/Scan?Url=telegraphcottages.co.uk#Custom... |
|
|
But what does that even mean? We've already discussed below that thinking you can hide an ASP.Net MVC site is wishful thinking unless you totally strip out every identifying part of the framework client-side, there are so many ways I can think of, including the ones below, like the js libraries, the CSRF style, the CSS style the validation uses, the wrapping of JSON responses in a object named d, etc. etc.
I even have vague recollections of coming across odd behaviours in IIS when it sends the allow-continue header in certain scenarios that no other webserver does. Though I can't remember the details now so might be wrong there.
I think you should stop classifying this as a vulnerability and just call it what it actually is, a misconfiguration.
I do like asafaweb, nice tool.