CodeQL documentation

Creating an ASP.NET debug binary may reveal sensitive information

ID: cs/web/debug-binary
Kind: problem
Severity: warning
Precision: very-high
Tags:
   - security
   - maintainability
   - frameworks/asp.net
   - external/cwe/cwe-11
Query suites:
   - csharp-code-scanning.qls
   - csharp-security-extended.qls
   - csharp-security-and-quality.qls

Click to see the query in the CodeQL repository

ASP.NET applications that deploy a ‘debug’ build to production can reveal debugging information to end users. This debugging information can aid a malicious user in attacking the system. The use of the debugging flag may also impair performance, increasing execution time and memory usage.

Recommendation

Remove the ‘debug’ flag from the Web.config file if this configuration is likely to be used in production.

Example

The following example shows the ‘debug’ flag set to true in a Web.config file for ASP.NET:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.web>
    <compilation
      defaultLanguage="c#"
      debug="true"
    />
   ...
  </system.web>
</configuration>

This will produce a ‘debug’ build that may be exploited by an end user.

To fix this problem, the ‘debug’ flag should be set to false, or removed completely:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.web>
    <compilation
      defaultLanguage="c#"
    />
   ...
  </system.web>
</configuration>