I am using IIS8 with MVC.NET website built on .net framework 4.5, Here as a part of security fix I am told to have the generic error message for all 403 status codes, This I was able to achieve using httpErrors tags from web.config file using "" entry. But there are some error which are thrown by http.sys which are still showing the system level errors instead of generic error. For example doing a GET request to url "http://abc.xyz.com/login/../../../../../../../admin.txt" is returning "HTTP Error 403. The request URL is forbidden." error while it should return the generic error message which is mentioned in my httpErrors tag.
To my surprise if I stop the website (Not IIS) still I am getting the same error which did confirm that the error is handleded at the low level APIs of IIS and not getting passed down to application layer hence any changes in web.config are not helping to fix this issue.
Could someone please shade some light on how to fix this issue ?
Thanks Ajay Sawant