• CodeQL query help documentation »
• CodeQL query help for C# »

Creating an ASP.NET debug binary may reveal sensitive information

ID: cs/web/debug-binary
Kind: problem
Security severity: 7.5
Severity: warning
Precision: very-high
Tags:
   - security
   - maintainability
   - frameworks/asp.net
   - external/cwe/cwe-11
   - external/cwe/cwe-532
Query suites:
   - csharp-code-scanning.qls
   - csharp-security-extended.qls
   - csharp-security-and-quality.qls

Click to see the query in the CodeQL repository

ASP.NET applications that deploy a ‘debug’ build to production can reveal debugging information to end users. This debugging information can aid a malicious user in attacking the system. The use of the debugging flag may also impair performance, increasing execution time and memory usage.

Recommendation

Remove the ‘debug’ flag from the Web.config file if this configuration is likely to be used in production.

Example

The following example shows the ‘debug’ flag set to true in a Web.config file for ASP.NET:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.web>
    <compilation
      defaultLanguage="c#"
      debug="true"
    />
   ...
  </system.web>
</configuration>

This will produce a ‘debug’ build that may be exploited by an end user.

To fix this problem, the ‘debug’ flag should be set to false, or removed completely:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.web>
    <compilation
      defaultLanguage="c#"
    />
   ...
  </system.web>
</configuration>

References

• MSDN: Why debug=false in ASP.NET applications in production environment.

• MSDN: How to: Enable Debugging for ASP.NET Applications.

• Common Weakness Enumeration: CWE-11.

• Common Weakness Enumeration: CWE-532.

• © GitHub, Inc.
• Terms
• Privacy