csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

ASP.NET applications built with debug set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set debug to false or remove it from <compilation ... />

Run Locally

Run in CI

Defintion

rules:
  - id: net-webconfig-debug
    message: ASP.NET applications built with `debug` set to true in production may
      leak debug information to attackers. Debug mode also affects performance
      and reliability. Set `debug` to `false` or remove it from `<compilation
      ... />`
    severity: WARNING
    metadata:
      likelihood: LOW
      impact: LOW
      confidence: LOW
      category: security
      cwe:
        - "CWE-11: ASP.NET Misconfiguration: Creating Debug Binary"
      owasp:
        - A05:2021 - Security Misconfiguration
      references:
        - https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/
        - https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx
      subcategory:
        - audit
      technology:
        - .net
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - generic
    paths:
      include:
        - "*web.config*"
    patterns:
      - pattern: |
          <compilation ... debug = "true" ... />
      - pattern-inside: |
          <system.web>
            ...
          </system.web>