CWE

ASP.NET Misconfiguration: Creating Debug Binary

ID: 11		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: DRAFT
Abstraction Type: Variant

Description

Debugging messages help attackers learn about the system and plan a form of attack.

Extended Description

ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production.

Applicable Platforms
Language: .NET

Time Of Introduction

• Implementation
• Operation

Common Consequences

Scope	Technical Impact	Notes
Confidentiality	Read application data	Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application.

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
		Avoid releasing debug binaries into the production environment. Change the debug mode to false when the application is deployed into production (See demonstrative example).

Relationships

Related CWE	Type	View	Chain
CWE-11 ChildOf CWE-895	Category	CWE-888

Demonstrative Examples   (Details)

1. The file web.config contains the debug mode setting. Setting debug to "true" will let the browser display debugging information.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
7 Pernicious Kingdoms		ASP.NET Misconfiguration: Creating Debug Binary

References:
None