In a report of a penetration test, a finding was listed that criticized the disclosure of detailed error messages that provide information about the technology used for the implementation. Concretely, the finding was about error messages returned in responses from a .NET Core Web API to requests with an incorrect body. Due to the incorrect request body, the deserialization of the request body fails and by default the client receives a response similar to the following.
To avoid the exposure of detailed error messages concerning request body deserialization in .NET Web API responses, configure the MVC services as follows.
public void ConfigureServices(IServiceCollection services)
{
...
services.AddMvc().AddJsonOptions(options =>
{
options.AllowInputFormatterExceptionMessages = false;
});
Setting option AllowInputFormatterExceptionMessages to false has the effect, that a generic error message will be returned in the response instead:
{
"type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
"title": "One or more validation errors occurred.",
"status": 400,
"traceId": "00-0885169ec31e128bb5ad76295c9c5a5d-dad2a5940e4fa9a8-00",
"errors": {
"$": [
"The input was not valid."
]
}
}
To expose detailed error messsages in development environments only, configure MVC services as follows.
public void ConfigureServices(IServiceCollection services)
{
...
services.AddMvc().AddJsonOptions(options =>
{
options.AllowInputFormatterExceptionMessages = Environment.IsDevelopment();
});
blog.rufer.be 
Leave a comment