The configuration in C:\Users\Administrator\Source\Repos\WebGoat.NET\WebGoat\web.config had mode set to Off in the following customErrors section:
<customErrors mode="Off" />
What's the risk?
A web.config file has the custom errors mode set to off (<customErrors mode="Off"...) The application will display detailed error messages, including full stack traces and other technical information. An attacker can use this information to refine their attacks.
Recommendation
Custom errors can be enabled by changing the mode value to "RemoteOnly" or "On", as is shown in this example:
Vulnerability ID: YL6U-GDCH-0CDB-CH30
Application Name: IISexpress-Goat2
Vulnerability Link: https://apptwo.contrastsecurity.com/Contrast/static/ng/index.html#/6119fcd6-5a74-48e8-aff8-092520138ef3/applications/99b90da9-b3c6-45a7-b40c-b481c850b33c/vulns/YL6U-GDCH-0CDB-CH30
What Happened?
The configuration in C:\Users\Administrator\Source\Repos\WebGoat.NET\WebGoat\web.config had mode set to Off in the following customErrors section:
<customErrors mode="Off" />
What's the risk?
A web.config file has the custom errors mode set to off (<customErrors mode="Off"...) The application will display detailed error messages, including full stack traces and other technical information. An attacker can use this information to refine their attacks.
Recommendation
Custom errors can be enabled by changing the mode value to "RemoteOnly" or "On", as is shown in this example:
<customErrors mode="On">
First Event
(no event)Last Event
(no event)HTTP Request
(No HTTP Request)
References
http://msdn.microsoft.com/en-us/library/y123fsf7.aspx