csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug

semgrep

Author

unknown

Download Count*

License

ASP.NET applications built with debug set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set debug to false or remove it from <compilation ... />

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: net-webconfig-debug
    message: ASP.NET applications built with `debug` set to true in production may
      leak debug information to attackers. Debug mode also affects performance
      and reliability. Set `debug` to `false` or remove it from `<compilation
      ... />`
    severity: WARNING
    metadata:
      likelihood: LOW
      impact: LOW
      confidence: LOW
      category: security
      cwe:
        - "CWE-11: ASP.NET Misconfiguration: Creating Debug Binary"
      owasp:
        - A05:2021 - Security Misconfiguration
      references:
        - https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/
        - https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx
      subcategory:
        - audit
      technology:
        - .net
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Active Debug Code
    languages:
      - generic
    paths:
      include:
        - "*web.config*"
    patterns:
      - pattern: |
          <compilation ... debug = "true" ... />
      - pattern-inside: |
          <system.web>
            ...
          </system.web>

Short Link: https://sg.run/yPWx