CWE-11: ASP.NET Misconfiguration: Creating Debug Binary

Description

Debugging messages help attackers learn about the system and plan a form of attack.

Extended Description

ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production.

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

No observed examples available.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A
Build and Compilation	N/A

Common Consequences

Impact: Read Application Data — Notes: Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application.

Potential Mitigations

System Configuration: Avoid releasing debug binaries into the production environment. Change the debug mode to false when the application is deployed into production. (N/A)

Applicable Platforms

ASP.NET (N/A, Undetermined)

Demonstrative Examples

Intro: The file web.config contains the debug mode setting. Setting debug to "true" will let the browser display debugging information.

Body: Change the debug mode to false when the application is deployed into production.

<?xml version="1.0" encoding="utf-8" ?> <configuration> <system.web> <compilation defaultLanguage="c#" debug="true" /> ... </system.web> </configuration>

Notes

No notes available.

← Back to CWE list