0

I have added the ability for us to log errors to our database for all HTTPExceptions. Once this was pushed live we logged about 10,000 in the span of around 15 minutes. I have to assume these errors were happening all the time, but since they were not critical errors the user didn't notice anything.

Here is the code in my Global.asax

protected void Application_Error(object sender, EventArgs e)
        {

            Exception exception = Server.GetLastError();

            if (exception is HttpException)
            {
                var httpException = exception as HttpException;

                if (httpException.GetHttpCode() == 404)
                {
                    // Page not found error
                    Response.StatusCode = 404; 

                    using (MyEntities db = new MyEntities())
                    {
                        ErrorLog error = new ErrorLog();

                        error.Date = DateTime.Now;
                        error.Type = httpException.GetHttpCode().ToString();
                        error.Message = httpException.Message;
                        error.Source = httpException.Source;
                        error.StackTrace = httpException.StackTrace;
                        error.TargetSite = Request.Url.ToString();
                        error.Browser = Request.Browser.Browser + "(" + Request.Browser.Type + ")" + "v" + Request.Browser.Version;
                        error.IP = Request.ServerVariables["REMOTE_ADDR"];

                        //db.ErrorLogs.Add(error);
                        //db.SaveChanges();
                    }
                }
                else if (httpException.GetHttpCode() == 500)
                {
                    // Server Error
                    Response.StatusCode = 500;  

                    using (MyEntities db = new MyEntities ())
                    {
                        ErrorLog error = new ErrorLog();

                        error.Date = DateTime.Now;
                        error.Type = httpException.GetHttpCode().ToString();
                        error.Message = httpException.Message;
                        error.Source = httpException.Source;
                        error.StackTrace = httpException.StackTrace;
                        error.TargetSite = Request.Url.ToString();
                        error.Browser = Request.Browser.Browser + "(" + Request.Browser.Type + ")" + "v" + Request.Browser.Version;
                        error.IP = Request.ServerVariables["REMOTE_ADDR"];

                        //db.ErrorLogs.Add(error);
                        //db.SaveChanges();
                    }
                }
                else
                {
                    // All Other Errors
                    Response.StatusCode = 500; 

                    using (MyEntities db = new MyEntities ())
                    {
                        ErrorLog error = new ErrorLog();

                        error.Date = DateTime.Now;
                        error.Type = "999";
                        error.Message = httpException.Message;
                        error.Source = httpException.Source;
                        error.StackTrace = httpException.StackTrace;
                        error.TargetSite = Request.Url.ToString();
                        error.Browser = Request.Browser.Browser + "(" + Request.Browser.Type + ")" + "v" + Request.Browser.Version;
                        error.IP = Request.ServerVariables["REMOTE_ADDR"];

                        //db.ErrorLogs.Add(error);
                        //db.SaveChanges();
                    }
                }

            }

Out of the 10,000 errors we have logged only 50 of them were unique.

Here are examples of some of them

type    Message
999 A potentially dangerous Request.Path value was detected from the client (:).
999 A potentially dangerous Request.Path value was detected from the client (>).
404 The controller for path '/images/favicon.ico' was not found or does not implement IController.
404 The controller for path '/Scripts/jquery-1.4.2.min.js' was not found or does not implement IController.
404 The controller for path '/Scripts/jquery-ui-1.8.5.custom.min.js' was not found or does not implement IController.

Now these seem like pretty silly errors. And from a user stand point this does not throw them to our custom 404 error page. So I am guessing they hit this error and are later redirected so they never see or notice they hit an error unless something is wrong with the code.

Anyone able to point me in the right direction to fix these if they are legitimate errors?

The last three 404 errors don't even make sense to me because they are not controllers and should not be treated like controllers ever.

James Wilson
  • 5,074
  • 16
  • 63
  • 122
  • it has something to do with your routing, add some constraints there http://stackoverflow.com/questions/4624190/mvc-does-the-favicon-ico-also-look-for-a-controller – prospector Dec 12 '14 at 18:26
  • @Prospector hrm is the only solution to add about 50 paths to ignore? =( – James Wilson Dec 12 '14 at 18:34
  • I think you can ignore paths with "." because your urls should be routed to the view name which doesn't contain .aspx anymore with the routing. I'm guessing, I'm not an MVC programmer just webforms. – prospector Dec 12 '14 at 18:40
  • `new { controller = @"[^\.]*" } ` add that to your routing code – prospector Dec 12 '14 at 18:43
  • @Prospector I'm not sure how to add it for it to be correct, never really messed with routes. Would it be `routes.IgnoreRoute("{*.}", new { controller = @"[^\.]*" } );`? – James Wilson Dec 12 '14 at 18:56
  • maybe this will help more http://weblogs.asp.net/rashid/asp-net-mvc-best-practices-part-2 – prospector Dec 12 '14 at 19:14
  • @Prospector thanks I will give those a shot! – James Wilson Dec 12 '14 at 19:49

1 Answers1

1

These do look pretty harmless, or at least they're problably harmless. There are 2 separate issues here:

The first 2 errors come from someone having a ":" or ">" as part of their request's path. Possibly a url like "http://yoursite.com/stuff:here". This is something asp.net does to help prevent XSS attacks. Unless you have valid URLs that allow this, you probably want to leave it alone. However, if you want to check the errors, you can catch this exception by adding a check for HttpRequestValidationException. There are also some web.config changes you can make to allow these characters if they are necessary to your site's operation:

Getting "A potentially dangerous Request.Path value was detected from the client (&)"

As for the last 3, "The controller for path xxx ...". These are routing issues that only happen on IIS 7 and earlier (as well as the VS WebServer)

One that might work well for you is:

routes.IgnoreRoute("{*staticfile}", new { staticfile = @".*\.(css|js|gif|jpg|ico)(/.*)?" });
Community
  • 1
  • 1
ChrisG
  • 1,403
  • 13
  • 22