csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug
semgrep
Author
unknown
Download Count*
License
ASP.NET applications built with debug
set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set debug
to false
or remove it from <compilation ... />
Run Locally
Run in CI
Defintion
rules:
- id: net-webconfig-debug
message: ASP.NET applications built with `debug` set to true in production may
leak debug information to attackers. Debug mode also affects performance
and reliability. Set `debug` to `false` or remove it from `<compilation
... />`
severity: WARNING
metadata:
likelihood: LOW
impact: LOW
confidence: LOW
category: security
cwe:
- "CWE-11: ASP.NET Misconfiguration: Creating Debug Binary"
owasp:
- A05:2021 - Security Misconfiguration
references:
- https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/
- https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx
subcategory:
- audit
technology:
- .net
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Active Debug Code
languages:
- generic
paths:
include:
- "*web.config*"
patterns:
- pattern: |
<compilation ... debug = "true" ... />
- pattern-inside: |
<system.web>
...
</system.web>
Short Link: https://sg.run/yPWx