An attacker of this vulnerability can use it and download file like web.config which contains sensitive data about the application including connection string for database etc.Currently a (temporary) workaround (till a proper patch for this vulnerability is made available) has been provided by Microsoft.The workaround involves setting the customerror in such a way that it returns only one page on any kind of error.Below is detail on how the workaround should be applied.Enabling the Workaround on ASP.NET V1.0 to V3.5If you are using ASP.NET 1.0, ASP.NET 1.1, ASP.NET 2.0, or ASP.NET3.5 then you should follow the below steps to enable <customErrors> andmap all errors to a single error page:1) Edit your ASP.NET Application’s root Web.Configfile. If the file doesn’t exist, then create one in the root directory ofthe application.2) Create or modify the <customErrors> section of the web.config file tohave the below settings:<configuration> <system.web> <customErrors mode="On" defaultRedirect="~//error.html" //> <//system.web> <//configuration>3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.Notes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page. There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section. This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:1) Edit your ASP.NET Application’s root Web.Configfile. If the file doesn’t exist, then create one in the root directory ofthe application.2) Create or modify the <customErrors> section of the web.config file tohave the below settings. Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:<configuration> <system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~//error.aspx" //> <//system.web><//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
Currently a (temporary) workaround (till a proper patch for this vulnerability is made available) has been provided by Microsoft.The workaround involves setting the customerror in such a way that it returns only one page on any kind of error.Below is detail on how the workaround should be applied.Enabling the Workaround on ASP.NET V1.0 to V3.5If you are using ASP.NET 1.0, ASP.NET 1.1, ASP.NET 2.0, or ASP.NET3.5 then you should follow the below steps to enable <customErrors> andmap all errors to a single error page:1) Edit your ASP.NET Application’s root Web.Configfile. If the file doesn’t exist, then create one in the root directory ofthe application.2) Create or modify the <customErrors> section of the web.config file tohave the below settings:<configuration> <system.web> <customErrors mode="On" defaultRedirect="~//error.html" //> <//system.web> <//configuration>3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.Notes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page. There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section. This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:1) Edit your ASP.NET Application’s root Web.Configfile. If the file doesn’t exist, then create one in the root directory ofthe application.2) Create or modify the <customErrors> section of the web.config file tohave the below settings. Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:<configuration> <system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~//error.aspx" //> <//system.web><//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
Below is detail on how the workaround should be applied.Enabling the Workaround on ASP.NET V1.0 to V3.5If you are using ASP.NET 1.0, ASP.NET 1.1, ASP.NET 2.0, or ASP.NET3.5 then you should follow the below steps to enable <customErrors> andmap all errors to a single error page:1) Edit your ASP.NET Application’s root Web.Configfile. If the file doesn’t exist, then create one in the root directory ofthe application.2) Create or modify the <customErrors> section of the web.config file tohave the below settings:<configuration> <system.web> <customErrors mode="On" defaultRedirect="~//error.html" //> <//system.web> <//configuration>3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.Notes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page. There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section. This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:1) Edit your ASP.NET Application’s root Web.Configfile. If the file doesn’t exist, then create one in the root directory ofthe application.2) Create or modify the <customErrors> section of the web.config file tohave the below settings. Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:<configuration> <system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~//error.aspx" //> <//system.web><//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
If you are using ASP.NET 1.0, ASP.NET 1.1, ASP.NET 2.0, or ASP.NET3.5 then you should follow the below steps to enable <customErrors> andmap all errors to a single error page:1) Edit your ASP.NET Application’s root Web.Configfile. If the file doesn’t exist, then create one in the root directory ofthe application.2) Create or modify the <customErrors> section of the web.config file tohave the below settings:<configuration> <system.web> <customErrors mode="On" defaultRedirect="~//error.html" //> <//system.web> <//configuration>3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.Notes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page. There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section. This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:1) Edit your ASP.NET Application’s root Web.Configfile. If the file doesn’t exist, then create one in the root directory ofthe application.2) Create or modify the <customErrors> section of the web.config file tohave the below settings. Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:<configuration> <system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~//error.aspx" //> <//system.web><//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<configuration> <system.web> <customErrors mode="On" defaultRedirect="~//error.html" //> <//system.web> <//configuration>3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.Notes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page. There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section. This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:1) Edit your ASP.NET Application’s root Web.Configfile. If the file doesn’t exist, then create one in the root directory ofthe application.2) Create or modify the <customErrors> section of the web.config file tohave the below settings. Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:<configuration> <system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~//error.aspx" //> <//system.web><//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<system.web> <customErrors mode="On" defaultRedirect="~//error.html" //> <//system.web> <//configuration>3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.Notes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page. There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section. This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:1) Edit your ASP.NET Application’s root Web.Configfile. If the file doesn’t exist, then create one in the root directory ofthe application.2) Create or modify the <customErrors> section of the web.config file tohave the below settings. Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:<configuration> <system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~//error.aspx" //> <//system.web><//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<customErrors mode="On" defaultRedirect="~//error.html" //> <//system.web> <//configuration>3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.Notes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page. There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section. This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:1) Edit your ASP.NET Application’s root Web.Configfile. If the file doesn’t exist, then create one in the root directory ofthe application.2) Create or modify the <customErrors> section of the web.config file tohave the below settings. Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:<configuration> <system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~//error.aspx" //> <//system.web><//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<//system.web> <//configuration>3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.Notes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page. There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section. This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:1) Edit your ASP.NET Application’s root Web.Configfile. If the file doesn’t exist, then create one in the root directory ofthe application.2) Create or modify the <customErrors> section of the web.config file tohave the below settings. Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:<configuration> <system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~//error.aspx" //> <//system.web><//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<//configuration>3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.Notes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page. There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section. This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:1) Edit your ASP.NET Application’s root Web.Configfile. If the file doesn’t exist, then create one in the root directory ofthe application.2) Create or modify the <customErrors> section of the web.config file tohave the below settings. Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:<configuration> <system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~//error.aspx" //> <//system.web><//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.Notes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page. There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section. This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:1) Edit your ASP.NET Application’s root Web.Configfile. If the file doesn’t exist, then create one in the root directory ofthe application.2) Create or modify the <customErrors> section of the web.config file tohave the below settings. Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:<configuration> <system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~//error.aspx" //> <//system.web><//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:1) Edit your ASP.NET Application’s root Web.Configfile. If the file doesn’t exist, then create one in the root directory ofthe application.2) Create or modify the <customErrors> section of the web.config file tohave the below settings. Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:<configuration> <system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~//error.aspx" //> <//system.web><//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<configuration> <system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~//error.aspx" //> <//system.web><//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~//error.aspx" //> <//system.web><//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~//error.aspx" //> <//system.web><//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<//system.web><//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<//configuration> 3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.VB VersionBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into theapplication directory on your web-server:<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<%@ Page Language="VB" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<%@ Import Namespace="System.Threading" %><script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<script runat="server"> Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
Sub Page_Load() Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
Dim delay As Byte() = New Byte(0) {} Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
prng.GetBytes(delay) Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
Thread.Sleep(CType(delay(0), Integer)) Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
Dim disposable As IDisposable = TryCast(prng, IDisposable) If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
If Not disposable Is Nothing Then disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
disposable.Dispose() End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
End If End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
End Sub<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<//script><html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<html><head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<head runat="server"> <title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<title>Error<//title><//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<//head><body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<body> <div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<div> Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
Sorry - an error occured <//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<//div><//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<//body><//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<//html>C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
C# VersionBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into anapplication – you can optionally just save it into the application directory on your web-server:<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<%@ Page Language="C#" AutoEventWireup="true" %><%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<%@ Import Namespace="System.Security.Cryptography" %><%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
if (disposable != null) { disposable.Dispose(); } }<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
}<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<//script> <html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<html><head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<head runat="server"> <title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<title>Error<//title><//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<//head><body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<body> <div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<div> An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
An error occurred while processing your request. <//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<//div><//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<//body><//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
<//html>How to Find More Information about this VulnerabilityYou can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
You can learn more about this vulnerability from:Microsoft Security Advisory 2416728 Understanding the ASP.NET Vulnerability Microsoft Security Response Center Blog Post Vikram
Vikram
Interesting issue.
Hi Vikram, I want to know if this issue still unsolved or it's safe now ? and you mentioned all the ASP.NET versions up to 3.5, what about ASP.NET 4.0 ?
Hi Kashef,
The issue has been solved a new fix is available from microsoft. If you search your will easily find that