Missing Custom Error Page (CWE ID 756) vulnerability

IIS comes with a default website as well as default error pages. In order to help developers and server administrators troubleshoot issues, these error pages may provide detailed information about the application and server. Therefore, some penetration testing tools may flag this situation as a vulnerability.

Here is the vulnerability a security scan tool flagged because the default error page was in use:

Missing Custom Error Page (CWE ID 756)
The software fails to return custom error pages to the user, possibly resulting in an information leak.
Ensure that all error pages are customized and default error pages are returned to users.

Missing Custom Error Page vulnerability
Vulnerability: Missing Custom Error Page

More information about this type of weakness is here.

Solution for Missing Custom Error Page (CWE ID 756) vulnerability

Unless you enable detailed error pages for remote requests, I wouldn’t classify this situation as a vulnerability. However, if you want your users to see more meaningful error pages and you want to have a clean security scan report, you can create custom error pages.

IIS setting for detailed error pages
IIS setting for detailed error pages

In the case I worked on, the pentest tool brought up this report for a folder that doesn’t have a default index page. For this situation, there are a few easy workarounds:

  1. Add an index.html file to the folder and move index.html to the top in Default Document section of that folder in IIS Manager. This should prevent that URL to be flagged again
  2. Customize IIS defaullt page for 403 error (C:\inetpub\custerr\en-US\403.html). Pentest tool is likely to mark the URL pass if that page is customized
  3. Enforce custom error pages in web.config

Here are solutions for several other vulnerabilities I have come across in the past:

Leave a Comment