How to prevent access to the Hidden Directories like Scripts, Contents, aspnet_client from browser in a asp.net mvc application?

Question

I want to prevent the user from accessing the Hidden Directories like Scripts, Contents, aspnet_client directly from the browser in a asp.net mvc 2 application. Currently whenever I try to access the above mentioned Hidden Directories it is returning the following error message:

403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.

I want to show "404 Not Found" error page whenever one tries to access the above mentioned hidden directories.

Can anyone help me with to resolve this issue?

Answer 1

When attacker try to access the file with some random name, if given file name not exists then it will give error like "404 File not exists". if file name exists but don't have access to file then it will return error like "403 Forbidden" error. so attacker get idea of the file and file directory.

So the application should be capable of handling this issue

Solution is to show the return response in different way, recommended to show as 404 error.

To do this in IIS we can add customerError configuration in the web.config file.

Please check the below article for the details of issue and solution.

https://www.c-sharpcorner.com/UploadFile/092589/custom-error-page-in-Asp-Net/

Answer 2

You may want to add custom handler - something like this - http://forums.asp.net/post/4152906.aspx