Telerik.Web.UI.WebResource.axd friendly 404 page.

8 posts, 1 answers
  1. HSLaw
    HSLaw avatar
    159 posts
    Member since:
    Jan 2006

    Posted 02 Sep 2018 Link to this post

    Hi, we have 404 page configured in webconfig: so that when a non-existent page like this https://www.ximnet.com.my/something or page with errors will go to a friendly 404 page.

    But for https://www.ximnet.com.my/Telerik.Web.UI.WebResource.axd, it cannot redirect to 404 page.

    How can we redirect the axd to our 404 page?
    We need this because in Acunetix scanning, it will tag this page as showing "Application Error Message"

    Thanks.

     

  2. Marin Bratanov
    Admin
    Marin Bratanov avatar
    4944 posts

    Posted 03 Sep 2018 Link to this post

    Hi,

    The Telerik.Web.UI.WebResource.axd is an HTTP handler that you need registered and accessible in the web.config so that the UI for ASP.NET AJAX controls work: https://docs.telerik.com/devtools/aspnet-ajax/general-information/web-config-settings-overview#mandatory-additions-to-the-webconfig.

    In most cases, there are GET requests for it caused by scripts or stylesheets that are needed in the browser. Those type of requests cannot redirect the current page even if customErrors in the web.config redirect the handler.


    Regards,
    Marin Bratanov
    Progress Telerik
    Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
  3. HSLaw
    HSLaw avatar
    159 posts
    Member since:
    Jan 2006

    Posted 06 Sep 2018 in reply to Marin Bratanov Link to this post

    Hi,

    So, there is no way to remove the error messages from being displayed?

    Thanks.

  4. HSLaw
    HSLaw avatar
    159 posts
    Member since:
    Jan 2006

    Posted 06 Sep 2018 in reply to HSLaw Link to this post

    Hi,

    We managed to intercept in Global.asax:

    Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)
            ' Code that runs when an unhandled error occurs
     
            ' Get the exception object.
            Dim exc As Exception = Server.GetLastError
            If exc.Message = "This is an invalid webresource request." Then
                Server.ClearError()
            End If

     

    but Acunetix reports "Content type is not specified" for it.
    What is the best way to add the Content type to the axd files?

     

    Thanks.

  5. Marin Bratanov
    Admin
    Marin Bratanov avatar
    4944 posts

    Posted 06 Sep 2018 Link to this post

    Hello,

    You must ensure that the Telerik WebResource handler is available and does not throw errors. It is used by our controls and if it cannot return successfully, their scripts and skins are likely to not load and so the controls will not function/look as expected.

    If you already have the registration from my previous link, ensure anonymous access is allowed for it: https://docs.telerik.com/devtools/aspnet-ajax/general-information/troubleshooting/web-resources-troubleshooting.

    Our code cannot control the server response for errors, this is determined by the server/application configuration.


    Regards,
    Marin Bratanov
    Progress Telerik
    Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
  6. HSLaw
    HSLaw avatar
    159 posts
    Member since:
    Jan 2006

    Posted 06 Sep 2018 in reply to Marin Bratanov Link to this post

    Hi,

    The application is working and displaying properly when it is being used as normal.
    The error comes out in Acunetix Web Vulnerability Scanner report which try to crash the URL with different parameters.

    This makes the application security report as Medium Vulnerability.

    Attached is the screen-cap from Acunetix.

    Thanks.

     

  7. Answer
    Marin Bratanov
    Admin
    Marin Bratanov avatar
    4944 posts

    Posted 07 Sep 2018 Link to this post

    Hello,

    Thank you for the details. Since the handler itself exists but wrong parameters result in server errors being thrown, this will not get captured by a 404 redirect. Instead, you'd need to capture the appropriate status code, like 500. Here's an example:

    <location path="Telerik.Web.UI.WebResource.axd">
       <system.web>
         <authorization>
           <allow users="*"/>
         </authorization>
         <customErrors redirectMode="ResponseRedirect" mode="On">
             <error statusCode="500" redirect="myErrorPage.aspx"/>
         </customErrors>
       </system.web>
     </location>

    Where, of course, you can tweak the settings so they match your needs and preferences. This concrete example will do a 302 redirect to a designated error page.

    I am attaching below a short video that shows how this works in Fiddler.

    It is also important to note that the arguments the handler receives are important and they are generated by the server. The querystring params for d and t are created by .NET through its GetWebResourceUrl method and so all of these parameters are important for the handler to function as expected. It does try to contain errors and keep working, but tampering with it should be expected to result in some errors. We are not aware of vulnerabilities in it and if someone tampers with the requests and gets an error, that behavior is expected. A standard web form has the same behavior.


    Regards,
    Marin Bratanov
    Progress Telerik
    Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
  8. HSLaw
    HSLaw avatar
    159 posts
    Member since:
    Jan 2006

    Posted 07 Sep 2018 in reply to Marin Bratanov Link to this post

    Thanks.
Back to Top