logo

ASP.NET Misconfiguration: Creating Debug Binary

Draft Variant
Structure: Simple
Description

Debugging messages help attackers learn about the system and plan a form of attack.

Extended Description

ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production.
Common Consequences 1
Scope: Confidentiality

Impact: Read Application Data

Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 1
Phase: System Configuration
Avoid releasing debug binaries into the production environment. Change the debug mode to false when the application is deployed into production.
Demonstrative Examples 1
The file web.config contains the debug mode setting. Setting debug to "true" will let the browser display debugging information.

Code Example:

Bad
XML
xml
Change the debug mode to false when the application is deployed into production.
References 1
Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, and Gary McGraw
NIST Workshop on Software Security Assurance Tools Techniques and MetricsNIST
07-11-2005
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
ID: REF-6
Applicable Platforms
Languages:
ASP.NET : Undetermined
Modes of Introduction
Implementation
Build and Compilation
Related Weaknesses
ChildOf: Active Debug Code (CWE-489)
Taxonomy Mapping
  • 7 Pernicious Kingdoms