Difference between revisions of "ASP.NET Misconfigurations"

From OWASP
Jump to: navigation, search
(Added Contents provided by Fortify.)
Line 1: Line 1:
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}
 +
{{Template:Fortify}}
 +
 +
==Abstract==
 +
 +
Debugging messages help attackers learn about the system and plan a form of attack.
  
 
==Description==
 
==Description==
  
Many parts of an ASP.NET application are dynamically compiled at runtime (.aspx and .asmx files, for example). You can configure the ASP.NET runtime to compile the application with symbolic information so that the application can be debugged. Symbols (.pdb files) tell the debugger how to find the original source files for a binary, and how to map breakpoints in code to lines in those source files. Debug binaries can reveal detailed debugging messages and inner working of the application. This kind of information can be used by attackers to launch attacks against the application. Debug binaries should not be used in production systems.
+
ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. The debug attribute of the <compilation> tag defines whether compiled binaries should include debugging information. Symbols (.pdb files) tell the debugger how to find the original source files for a binary, and how to map breakpoints in code to lines in those source files.
 +
 
 +
The use of debug binaries causes an application to provide as much information about itself as possible to the user. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production. Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application.
  
 
==Examples ==
 
==Examples ==
  
 
To identify this vulnerablity, look for the following pattern on the compilation section within the system.web group of the Web.config file at the application's root directory:
 
To identify this vulnerablity, look for the following pattern on the compilation section within the system.web group of the Web.config file at the application's root directory:
 +
 +
<pre>
  
 
  <configuration>
 
  <configuration>
 
   <compilation debug="true"/>
 
   <compilation debug="true"/>
 
  </configuration>
 
  </configuration>
 +
 +
</pre>
  
 
==Related Threats==
 
==Related Threats==
Line 23: Line 34:
 
==Categories==
 
==Categories==
  
{{Template:Stub}}
 
 
{{Template:Stub}}
 
 
[[Category:.NET]]
 
[[Category:.NET]]
 
[[Category:Deployment]]
 
[[Category:Deployment]]
 
[[Category:Environmental Vulnerability]]
 
[[Category:Environmental Vulnerability]]

Revision as of 12:49, 21 July 2006

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


This article includes content generously donated to OWASP by Fortify.JPG.

Abstract

Debugging messages help attackers learn about the system and plan a form of attack.

Description

ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. The debug attribute of the <compilation> tag defines whether compiled binaries should include debugging information. Symbols (.pdb files) tell the debugger how to find the original source files for a binary, and how to map breakpoints in code to lines in those source files.

The use of debug binaries causes an application to provide as much information about itself as possible to the user. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production. Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application.

Examples

To identify this vulnerablity, look for the following pattern on the compilation section within the system.web group of the Web.config file at the application's root directory:


 <configuration>
   <compilation debug="true"/>
 </configuration>

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures

Categories