ASP.NET customErrors web.config not catching all invalid URLs

Question

It looks like there is a bug in customErrors default redirect in web.config. In my web.config file I have the following customErrors setting

<customErrors defaultRedirect="~/generalerror.html?" mode="On" />

As far as I know this should send all errors to the custom generalerror.html page. It seems to work for some invalid URLS like

http://website.com/?x="<p>"
http://website.com/"<p>"

BUT it is not working when “&” is used in the URL and there is no “?” and there is an HTML tag. So this

http://website.com/&x="<p>"

totally ignores customErrors and you are given the default yellow Runtime Error instead of being sent to the custom generalerror.html page. How do I get this URL to also be redirected to the custom error page ?

If I turn mode="Off" in the web.config I get the following error

A potentially dangerous Request.RawUrl value was detected from the client (="/&x="<p>"").

Answer 1

Since you are passing HTML tags in the URL, it could be an indicative of cross-site scripting attack. Not all HTML tags are dangerous, but when HTML characters are followed by certain characters like '&' in your case, asp.net considers it as a cross-site scripting attack and doesn't allow it by default.

You should consider encoding the URL to get around this. And it is always a best practice. Here is a good explanation about XSS. And here is a link that explains in detail how to get around this issue.

To change this behavior, you can set request validation to false in web.config.

<configuration>
<system.web>
    <pages validateRequest="false" />
</system.web>
</configuration>

But in this case, requests need to be validated in the pages.

Breaking changes were made to ASP.NET request validation in .NET 4.0 and this entry is required to revert the behavior to .NET 2.0 where invalid URLs will redirect to custom error page.

<httpRuntime requestValidationMode="2.0" />