Creating an ASP.NET debug binary may reveal sensitive information¶
ID: cs/web/debug-binary Kind: problem Security severity: 7.5 Severity: warning Precision: very-high Tags: - security - maintainability - frameworks/asp.net - external/cwe/cwe-11 - external/cwe/cwe-532 Query suites: - csharp-code-scanning.qls - csharp-security-extended.qls - csharp-security-and-quality.qls Click to see the query in the CodeQL repository
ASP.NET applications that deploy a ‘debug’ build to production can reveal debugging information to end users. This debugging information can aid a malicious user in attacking the system. The use of the debugging flag may also impair performance, increasing execution time and memory usage.
Recommendation¶
Remove the ‘debug’ flag from the Web.config file if this configuration is likely to be used in production.
Example¶
The following example shows the ‘debug’ flag set to true in a Web.config file for ASP.NET:
<?xml version="1.0" encoding="utf-8" ?> <configuration> <system.web> <compilation defaultLanguage="c#" debug="true" /> ... </system.web> </configuration> This will produce a ‘debug’ build that may be exploited by an end user.
To fix this problem, the ‘debug’ flag should be set to false, or removed completely:
<?xml version="1.0" encoding="utf-8" ?> <configuration> <system.web> <compilation defaultLanguage="c#" /> ... </system.web> </configuration> References¶
MSDN: Why debug=false in ASP.NET applications in production environment.
Common Weakness Enumeration: CWE-11.
Common Weakness Enumeration: CWE-532.
