1

I have a Web API 2 project with several routes and controllers. I began testing some fairly standard security functionality including SQL Injection. I attempted to pass a request parameter of "*" to a route with database operations. Immediately I was met with a detailed response in the form of HTML which was less than useful for my C# console application I was using to test.

The HTML did have the only real piece of information I wanted however, which was the exception message, along with the status code. Here is part of the HTML:

<body bgcolor="white">

            <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>

            <h2> <i>A potentially dangerous Request.Path value was detected from the client (*).</i> </h2></span>

            <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

            <b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
...

This security exception is thrown before it enters one of my custom controllers where I have error-handling logic in place. Is there a way to override this HTML that is returned, and instead return a standard HttpResponse or HttpResponseMessage without completely replacing the standard security measures that are clearly functioning properly here before it even gets to my routes? Is this an unwise idea? Is this a configurable setting?

joeschmoe54321
  • 73
  • 4

1 Answers1

1

I am going to post the answer that I arrived at with help from this post. Note the comments below this answer to see why my answer is slightly different. I will not mark this answer as the 'accepted' one until y'all get a chance to answer/point out my mistakes. I do feel what I am trying to do here IS different enough from the question and answer that it warrants its own post. We will see if the mods and the mob agree.

I am essentially overriding the default error event handler in the Global.asax.cs class file, and only writing the HttpException.Message to the Response:

protected void Application_Error(object sender, EventArgs e)
{
    var exception = Server.GetLastError();
    if (exception is HttpException)
    {
        Server.ClearError();
        Response.Clear();
        Response.StatusCode = (int)HttpStatusCode.BadRequest;
        Response.Write(exception.Message);
        HttpContext.Current.ApplicationInstance.CompleteRequest();
        return;
    }
}

I could probably even eliminate the if statement and just return every exception this way. Honestly I haven't run into any other issues yet though.

joeschmoe54321
  • 73
  • 4
  • 2
    Sending server-side exception messages to the client can make some security-minded people cringe. I like returning a JSON object that has the [User Friendly Exception Message](http://j2jensen.blogspot.com/2014/12/user-facing-exceptions.html) if one is available, but includes the Exception's ToString() for specific high-trust cases specific cases (e.g. super users, or when in debug mode, or where the request is from the same machine as the server). – StriplingWarrior Aug 20 '20 at 20:42
  • 2
    Also: ExceptionHandlers are probably a better way to do this than Application_Error – StriplingWarrior Aug 20 '20 at 20:43
  • 1
    @StriplingWarrior I can certainly understand that. This will be used on an internal system with very few 'real' users and mostly applications on the same server, but your concern is noted and appreciated. Could you elaborate a bit more on how to customize the ExceptionHandlers? I must admit I do not have much experience with Web API and I am not sure how to access them outside of my controllers. – joeschmoe54321 Aug 20 '20 at 20:47
  • 1
    You just create a class with the exception-handling logic, and register it with Web API so it's active on all request. The Custom Error Message Exception Handler and Registering Exception Filters sections of [this page](https://learn.microsoft.com/en-us/aspnet/web-api/overview/error-handling/web-api-global-error-handling#custom-error-message-exception-handler) should get you started. If you want to return a JSON object instead of plain text, use a ResponseMessageResult with an ObjectContent with a JsonMediaTypeFormatter. – StriplingWarrior Aug 24 '20 at 17:29