Issue
Out of the box, ASP.NET provides a default error page. It is possible to override this error page by setting <customError>
or <httpErrors>
in the web.config
. However, when Contrast Protect is in use, these custom errors do not display.
Cause
The .NET agent blocks attacks by throwing an exception at a low enough level to stop all request processing (including Application_Error
), which is necessary to ensure attacks are actually blocked. Custom exception handlers generally do not have access to this scope.
Resolution
In most cases, custom errors will not work when an attack event is stopped by Protect. It may work in some cases if using mode="On"
instead of mode="RemoteOnly"
.