-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathASPNetDebug.qhelp
More file actions
54 lines (41 loc) · 1.32 KB
/
ASPNetDebug.qhelp
File metadata and controls
54 lines (41 loc) · 1.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
ASP.NET applications that deploy a 'debug' build to production can reveal debugging information
to end users. This debugging information can aid a malicious user in attacking the system. The use
of the debugging flag may also impair performance, increasing execution time and memory usage.
</p>
</overview>
<recommendation>
<p>
Remove the 'debug' flag from the <code>Web.config</code> file if this configuration is likely to be
used in production.
</p>
</recommendation>
<example>
<p>
The following example shows the 'debug' flag set to true in a <code>Web.config</code> file for ASP.NET:
</p>
<sample src="Web.config.bad" />
<p>
This will produce a 'debug' build that may be exploited by an end user.
</p>
<p>
To fix this problem, the 'debug' flag should be set to <code>false</code>, or removed completely:
</p>
<sample src="Web.config.good" />
</example>
<references>
<li>
MSDN:
<a href="https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/">Why debug=false in ASP.NET applications in production environment</a>.
</li>
<li>
MSDN:
<a href="https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx">How to: Enable Debugging for ASP.NET Applications</a>.
</li>
</references>
</qhelp>