csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: net-webconfig-trace-enabled
    message: OWASP guidance recommends disabling tracing for production applications
      to prevent accidental leakage of sensitive application information.
    severity: WARNING
    metadata:
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      category: security
      cwe:
        - "CWE-1323: Improper Management of Sensitive Trace Data"
      owasp: A05:2021 - Security Misconfiguration
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance
        - https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx
      subcategory:
        - audit
      technology:
        - .net
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - generic
    paths:
      include:
        - "*web.config*"
    patterns:
      - pattern: |
          <trace ... enabled = "true" ... />
      - pattern-inside: |
          <system.web>
            ...
          </system.web>