Asp.Net Web API Block Arbitrary text on 404 page

Question

In my application (Asp.Net web api) if the attacker inserts arbitrary text after in the api url then that text is displayed in the 404 error page. This can be used by attacker to trick the users to click on custom links or for phishing attacks.

I want to block any arbitrary text from showing up on error page like this. Point to note here, we have not implemented GUID based error messaging in application.

Answer 1

In order to set up a custom 404 error page add the following to web.config inside <system.web></system.web>:

<customErrors mode="On" redirectMode="ResponseRewrite">
  <error statusCode="404" redirect="~/404.html"/>
</customErrors>

I’ve set mode="On" so we can view the custom errors pages locally. Generally you would only want to display these in production so would set mode="RemoteOnly"

Then add also custom error pages in IIS (note that this only works in IIS 7+). In web.config add the following inside <system.webServer></system.webServer>:

<httpErrors errorMode="Custom">
  <remove statusCode="404"/>
  <error statusCode="404" path="/404.html" responseMode="File"/>
</httpErrors>

If it doesn't help, as I don't know the architecture of your application, you should go for a route matching solution:

• Implementing a smart IHttpRouteConstraint
• Applying the constraint to attribute routing
• Applying the constraint to centralized routing

here are the details of the implementation: https://www.strathweb.com/2014/10/route-matching-overriding-404-asp-net-web-api/