ASP.NET Misconfigurations

Revision as of 18:31, 20 September 2008 by KirstenS (Talk | contribs)

Jump to: navigation, search

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

This article includes content generously donated to OWASP by Fortify.JPG.

ASDR Table of Contents


Debugging messages help attackers learn about the system and plan a form of attack.


ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. The debug attribute of the <compilation> tag defines whether compiled binaries should include debugging information. Symbols (.pdb files) tell the debugger how to find the original source files for a binary, and how to map breakpoints in code to lines in those source files.

The use of debug binaries causes an application to provide as much information about itself as possible to the user. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production. Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application.


To identify this vulnerablity, look for the following pattern on the compilation section within the system.web group of the Web.config file at the application's root directory:

   <compilation debug="true"/>

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures