Difference between revisions of "ASP.NET Misconfigurations"
(Added Contents provided by Fortify.)
|Line 1:||Line 1:|
Revision as of 18:31, 20 September 2008
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
ASDR Table of Contents
Debugging messages help attackers learn about the system and plan a form of attack.
ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. The debug attribute of the <compilation> tag defines whether compiled binaries should include debugging information. Symbols (.pdb files) tell the debugger how to find the original source files for a binary, and how to map breakpoints in code to lines in those source files.
The use of debug binaries causes an application to provide as much information about itself as possible to the user. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production. Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application.
To identify this vulnerablity, look for the following pattern on the compilation section within the system.web group of the Web.config file at the application's root directory:
<configuration> <compilation debug="true"/> </configuration>