Abstract:
Debugging messages help attackers learn about the system and plan a form of attack.
Explanation:
ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and
should not be used in production environments. The debug attribute of the <compilation> tag defines whether compiled binaries
should include debugging information.
The use of debug binaries causes an application to provide as much information about itself as possible to the user. Debug
binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to
production. Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the
framework, database, or other resources used by the application.
Recommendations:
Always compile production binaries without debug enabled. This can be accomplished by setting the debug attribute to false on
the <compilation> tag in your application's configuration file, as follows:
<configuration>
<compilation debug="false">
...
</compilation>
...
</configuration>
Setting the debug attribute to false is necessary for creating a secure application. However, it is important that your application
does not leak important system information in other ways. Ensure that your code does not unnecessarily expose system
information that could be useful to an attacker.