Hackers and other people with dubious intentions are always
on the lookout for websites that display technical error messages. ASP or
ASP.NET error messages are often useful to such people. In some cases the
hackers can actually think of ways of causing the error messages to appear,
such as by playing around with the parameters in the query string.
There have also been instances of hackers looking for
certain error messages that indicate known vulnerabilities by looking for
specific terms on search engines, such as Google. Therefore, suppressing error
messages is an extremely important tool in helping to avoid drawing the
attentions of malicious users.
Thankfully, suppressing errors on Microsoft based web
servers is very straightforward. In ASP it can be achieved by ensuring that
pages use the "On Error Resume Next" directive. Do not forget that
this directive should also be used within each subroutine in the Global.asa, if
you are using one. The most common source of ASP errors on live websites are
database or filesystem errors. Your application should always check for these,
for example by checking the Errors collection of the ADODB Connection object to
ensure a database connection has been successful.
IIS also has a setting that allows a website's errors to be
replaced with an operator-supplied generic message.
In ASP.NET, application errors can be suppressed by altering
the customErrors setting within the application's web.config file. By default,
the .NET Framework usually hides the specific details application errors unless
the website is being viewed on the local machine.