Difference between revisions of "ASP.NET Misconfigurations"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}
 
{{Template:Fortify}}
 
{{Template:Fortify}}
<br>
+
__TOC__
[[Category:OWASP ASDR Project]]
+
[[ASDR Table of Contents]]__TOC__
+
  
==Abstract==
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
Debugging messages help attackers learn about the system and plan a form of attack.
+
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
 +
[[ASDR Table of Contents]]
  
 
==Description==
 
==Description==
 +
 +
Debugging messages help attackers learn about the system and plan a form of attack.
  
 
ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. The debug attribute of the <compilation> tag defines whether compiled binaries should include debugging information. Symbols (.pdb files) tell the debugger how to find the original source files for a binary, and how to map breakpoints in code to lines in those source files.
 
ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. The debug attribute of the <compilation> tag defines whether compiled binaries should include debugging information. Symbols (.pdb files) tell the debugger how to find the original source files for a binary, and how to map breakpoints in code to lines in those source files.
Line 15: Line 16:
 
The use of debug binaries causes an application to provide as much information about itself as possible to the user. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production. Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application.
 
The use of debug binaries causes an application to provide as much information about itself as possible to the user. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production. Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application.
  
==Examples ==
+
==Risk Factors==
 +
TBD
 +
 
 +
 
 +
==Examples==
  
 
To identify this vulnerablity, look for the following pattern on the compilation section within the system.web group of the Web.config file at the application's root directory:
 
To identify this vulnerablity, look for the following pattern on the compilation section within the system.web group of the Web.config file at the application's root directory:
Line 27: Line 32:
 
</pre>
 
</pre>
  
==Related Threats==
+
==Related [[Attacks]]==
  
==Related Attacks==
+
* [[Attack 1]]
 +
* [[Attack 2]]
  
==Related Vulnerabilities==
 
  
==Related Countermeasures==
+
==Related [[Vulnerabilities]]==
 +
 
 +
* [[Vulnerability 1]]
 +
* [[Vulnerabiltiy 2]]
 +
 
 +
Note: the contents of "Related Problems" sections should be placed here
 +
 
 +
 
 +
==Related [[Controls]]==
 +
 
 +
* [[Control 1]]
 +
* [[Control 2]]
 +
 
 +
Note: contents of "Avoidance and Mitigation" and "Countermeasure" related Sections should be placed here
 +
 
 +
 
 +
==Related [[Technical Impacts]]==
 +
 
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 
 +
 
 +
==References==
 +
[[Category:FIXME|need links
 +
 
 +
 
 +
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
 +
 
 +
Availability Vulnerability
 +
 
 +
Authorization Vulnerability
 +
 
 +
Authentication Vulnerability
 +
 
 +
Concurrency Vulnerability
 +
 
 +
Configuration Vulnerability
 +
 
 +
Cryptographic Vulnerability
 +
 
 +
Encoding Vulnerability
 +
 
 +
Error Handling Vulnerability
 +
 
 +
Input Validation Vulnerability
 +
 
 +
Logging and Auditing Vulnerability
 +
 
 +
Session Management Vulnerability]]
 +
 
 +
__NOTOC__
  
==Categories==
 
  
 
[[Category:.NET]]
 
[[Category:.NET]]
 
[[Category:Deployment]]
 
[[Category:Deployment]]
 
[[Category:Environmental Vulnerability]]
 
[[Category:Environmental Vulnerability]]
 +
[[Category:OWASP ASDR Project]]

Revision as of 07:15, 22 September 2008

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


This article includes content generously donated to OWASP by Fortify.JPG.

Contents


Last revision (mm/dd/yy): 09/22/2008

Vulnerabilities Table of Contents ASDR Table of Contents

Description

Debugging messages help attackers learn about the system and plan a form of attack.

ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. The debug attribute of the <compilation> tag defines whether compiled binaries should include debugging information. Symbols (.pdb files) tell the debugger how to find the original source files for a binary, and how to map breakpoints in code to lines in those source files.

The use of debug binaries causes an application to provide as much information about itself as possible to the user. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production. Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application.

Risk Factors

TBD


Examples

To identify this vulnerablity, look for the following pattern on the compilation section within the system.web group of the Web.config file at the application's root directory:


 <configuration>
   <compilation debug="true"/>
 </configuration>

Related Attacks


Related Vulnerabilities

Note: the contents of "Related Problems" sections should be placed here


Related Controls

Note: contents of "Avoidance and Mitigation" and "Countermeasure" related Sections should be placed here


Related Technical Impacts


References