Creating an ASP.NET debug binary may reveal sensitive information¶
ID: cs/web/debug-binaryKind: problemSecurity severity: 7.5Severity: warningPrecision: very-highTags: - security - maintainability - frameworks/asp.net - external/cwe/cwe-011 - external/cwe/cwe-532Query suites: - csharp-code-scanning.qls - csharp-security-extended.qls - csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
ASP.NET applications that deploy a ‘debug’ build to production can reveal debugging information to end users. This debugging information can aid a malicious user in attacking the system. The use of the debugging flag may also impair performance, increasing execution time and memory usage.
Recommendation¶
Remove the ‘debug’ flag from theWeb.config file if this configuration is likely to be used in production.
Example¶
The following example shows the ‘debug’ flag set to true in aWeb.config file for ASP.NET:
<?xml version="1.0" encoding="utf-8" ?><configuration> <system.web> <compilation defaultLanguage="c#" debug="true" /> ... </system.web></configuration>
This will produce a ‘debug’ build that may be exploited by an end user.
To fix this problem, the ‘debug’ flag should be set tofalse, or removed completely:
<?xml version="1.0" encoding="utf-8" ?><configuration> <system.web> <compilation defaultLanguage="c#" /> ... </system.web></configuration>
References¶
MSDN:Why debug=false in ASP.NET applications in production environment.
Common Weakness Enumeration:CWE-11.
Common Weakness Enumeration:CWE-532.