标签看起来像这样:
<customErrors mode="RemoteOnly" defaultRedirect="~/RSRTerror.aspx" />
重定向工作正常:
http://mysite.com/hello.aspx?idx=somethingWrong
以上重定向到错误页面没有问题。
然而,当我在:
http://mysite.com/RSRTerror.aspx?aspxerrorpath='"--></style></script><script>netsparker(0x0023B6)</script>
它给了我以下内容:
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>
我关闭customErrors时看到的错误是:
从客户端
检测到潜在危险的Request.QueryString值我该如何处理?
如果我在Errorpage上设置ValidateRequest =“false”,它是否会允许更多漏洞通过?