I have been scanning our deployed (ASP.NET Framework 4.7.2) applications for vulnerabilities and on one of them have encountered the OWASP warning Generic Padding Oracle. My understanding of this vulnerability is that it is essential due to the existence of an 'oracle' that returns specific information when an error is generated (the page in question does not use encryption, so I am assuming that it is the supposed existence of such an oracle that generates the warning).
Now, I am aware that this can happen in ASP.NET applications if one does not set the following
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="~/Home/Error" />
</system.web>
</configuration>
in web.config (or mode="On"), where ~/Home/Error is a valid path to a custom error page. If not, ASP.NET will return its generic error page that leaks information on the error (the 'oracle').
However, this has been set up and I have confirmed that when a deliberate error is generated on the live site, the system returns my custom page. Moreover, our other sites have been set up using the same technology and (so far as I can see) configured in the same way and I have not been getting the warning on these.
So what else could I be missing?
