Usually the error HTTP 403 is triggered when the directory browsing is disabled in IIS and the user tries to access a specific directory with forbidden access from the website structure.
An attacker can use the HTTP 403 error to map your website directories in order for him to discover sensitive information for an attack.
Remedy
Always display custom errors in case of an exception and provide a generic text for 404 and 403 errors because this way the attacker will not identify what code the error had.
<httpErrors errorMode="Custom" existingResponse="Replace"> <remove statusCode="404" subStatusCode="-1" /> <remove statusCode="403" subStatusCode="-1" /> <error statusCode="404" path="/Error.aspx" responseMode="ExecuteURL"/> <error statusCode="403" path="/Error.aspx" responseMode="ExecuteURL"/> </httpErrors>
