ASP.NET Misconfiguration: Creating Debug BinaryID: 11 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Variant |
Description
Debugging messages help attackers learn about the system and
plan a form of attack.
Extended DescriptionASP .NET applications can be configured to produce debug binaries. These
binaries give detailed debugging messages and should not be used in
production environments. Debug binaries are meant to be used in a
development or testing environment and can pose a security risk if they are
deployed to production.
Applicable PlatformsLanguage: .NET
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
Confidentiality | Read application
data | Attackers can leverage the additional information they gain from
debugging output to mount attacks targeted on the framework, database,
or other resources used by the application. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
| | Avoid releasing debug binaries into the production environment. Change
the debug mode to false when the application is deployed into production
(See demonstrative example). | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-11 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The file web.config contains the debug mode setting. Setting debug
to "true" will let the browser display debugging information.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
7 Pernicious Kingdoms | | ASP.NET Misconfiguration: Creating Debug
Binary | |
References:None