Hi, we have 404 page configured in webconfig: so that when a non-existent page like this https://www.ximnet.com.my/something or page with errors will go to a friendly 404 page.
But for https://www.ximnet.com.my/Telerik.Web.UI.WebResource.axd, it cannot redirect to 404 page.
How can we redirect the axd to our 404 page?
We need this because in Acunetix scanning, it will tag this page as showing "Application Error Message"
7 Answers, 1 is accepted
The Telerik.Web.UI.WebResource.axd is an HTTP handler that you need registered and accessible in the web.config so that the UI for ASP.NET AJAX controls work: https://docs.telerik.com/devtools/aspnet-ajax/general-information/web-config-settings-overview#mandatory-additions-to-the-webconfig.
In most cases, there are GET requests for it caused by scripts or stylesheets that are needed in the browser. Those type of requests cannot redirect the current page even if customErrors in the web.config redirect the handler.
So, there is no way to remove the error messages from being displayed?
We managed to intercept in Global.asax:
but Acunetix reports "Content type is not specified" for it.
What is the best way to add the Content type to the axd files?
You must ensure that the Telerik WebResource handler is available and does not throw errors. It is used by our controls and if it cannot return successfully, their scripts and skins are likely to not load and so the controls will not function/look as expected.
If you already have the registration from my previous link, ensure anonymous access is allowed for it: https://docs.telerik.com/devtools/aspnet-ajax/general-information/troubleshooting/web-resources-troubleshooting.
Our code cannot control the server response for errors, this is determined by the server/application configuration.
The application is working and displaying properly when it is being used as normal.
The error comes out in Acunetix Web Vulnerability Scanner report which try to crash the URL with different parameters.
This makes the application security report as Medium Vulnerability.
Attached is the screen-cap from Acunetix.
Thank you for the details. Since the handler itself exists but wrong parameters result in server errors being thrown, this will not get captured by a 404 redirect. Instead, you'd need to capture the appropriate status code, like 500. Here's an example:
Where, of course, you can tweak the settings so they match your needs and preferences. This concrete example will do a 302 redirect to a designated error page.
I am attaching below a short video that shows how this works in Fiddler.
It is also important to note that the arguments the handler receives are important and they are generated by the server. The querystring params for d and t are created by .NET through its GetWebResourceUrl method and so all of these parameters are important for the handler to function as expected. It does try to contain errors and keep working, but tampering with it should be expected to result in some errors. We are not aware of vulnerabilities in it and if someone tampers with the requests and gets an error, that behavior is expected. A standard web form has the same behavior.