This is a migrated thread and some comments may be shown as answers.

Telerik.Web.UI.WebResource.axd friendly 404 page.

7 Answers 170 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
HSLaw
Top achievements
Rank 1
HSLaw asked on 03 Sep 2018, 04:24 AM

Hi, we have 404 page configured in webconfig: so that when a non-existent page like this https://www.ximnet.com.my/something or page with errors will go to a friendly 404 page.

But for https://www.ximnet.com.my/Telerik.Web.UI.WebResource.axd, it cannot redirect to 404 page.

How can we redirect the axd to our 404 page?
We need this because in Acunetix scanning, it will tag this page as showing "Application Error Message"

Thanks.

 

7 Answers, 1 is accepted

Sort by
0
Marin Bratanov
Telerik team
answered on 03 Sep 2018, 04:35 PM
Hi,

The Telerik.Web.UI.WebResource.axd is an HTTP handler that you need registered and accessible in the web.config so that the UI for ASP.NET AJAX controls work: https://docs.telerik.com/devtools/aspnet-ajax/general-information/web-config-settings-overview#mandatory-additions-to-the-webconfig.

In most cases, there are GET requests for it caused by scripts or stylesheets that are needed in the browser. Those type of requests cannot redirect the current page even if customErrors in the web.config redirect the handler.


Regards,
Marin Bratanov
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
0
HSLaw
Top achievements
Rank 1
answered on 06 Sep 2018, 05:18 AM

Hi,

So, there is no way to remove the error messages from being displayed?

Thanks.

0
HSLaw
Top achievements
Rank 1
answered on 06 Sep 2018, 07:00 AM

Hi,

We managed to intercept in Global.asax:

Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)
        ' Code that runs when an unhandled error occurs
 
        ' Get the exception object.
        Dim exc As Exception = Server.GetLastError
        If exc.Message = "This is an invalid webresource request." Then
            Server.ClearError()
        End If

 

but Acunetix reports "Content type is not specified" for it.
What is the best way to add the Content type to the axd files?

 

Thanks.

0
Marin Bratanov
Telerik team
answered on 06 Sep 2018, 11:33 AM
Hello,

You must ensure that the Telerik WebResource handler is available and does not throw errors. It is used by our controls and if it cannot return successfully, their scripts and skins are likely to not load and so the controls will not function/look as expected.

If you already have the registration from my previous link, ensure anonymous access is allowed for it: https://docs.telerik.com/devtools/aspnet-ajax/general-information/troubleshooting/web-resources-troubleshooting.

Our code cannot control the server response for errors, this is determined by the server/application configuration.


Regards,
Marin Bratanov
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
0
HSLaw
Top achievements
Rank 1
answered on 07 Sep 2018, 01:27 AM

Hi,

The application is working and displaying properly when it is being used as normal.
The error comes out in Acunetix Web Vulnerability Scanner report which try to crash the URL with different parameters.

This makes the application security report as Medium Vulnerability.

Attached is the screen-cap from Acunetix.

Thanks.

 

0
Accepted
Marin Bratanov
Telerik team
answered on 07 Sep 2018, 08:07 AM
Hello,

Thank you for the details. Since the handler itself exists but wrong parameters result in server errors being thrown, this will not get captured by a 404 redirect. Instead, you'd need to capture the appropriate status code, like 500. Here's an example:

<location path="Telerik.Web.UI.WebResource.axd">
   <system.web>
     <authorization>
       <allow users="*"/>
     </authorization>
     <customErrors redirectMode="ResponseRedirect" mode="On">
         <error statusCode="500" redirect="myErrorPage.aspx"/>
     </customErrors>
   </system.web>
 </location>

Where, of course, you can tweak the settings so they match your needs and preferences. This concrete example will do a 302 redirect to a designated error page.

I am attaching below a short video that shows how this works in Fiddler.

It is also important to note that the arguments the handler receives are important and they are generated by the server. The querystring params for d and t are created by .NET through its GetWebResourceUrl method and so all of these parameters are important for the handler to function as expected. It does try to contain errors and keep working, but tampering with it should be expected to result in some errors. We are not aware of vulnerabilities in it and if someone tampers with the requests and gets an error, that behavior is expected. A standard web form has the same behavior.


Regards,
Marin Bratanov
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
0
HSLaw
Top achievements
Rank 1
answered on 07 Sep 2018, 09:23 AM
Thanks.
Tags
General Discussions
Asked by
HSLaw
Top achievements
Rank 1
Answers by
Marin Bratanov
Telerik team
HSLaw
Top achievements
Rank 1
Share this question
or