Language: C# | Type: VULNERABILITY | Severity: Minor
Tags: cwe, error-handling, debug, user-experience, former-hotspot
Development tools and frameworks usually have options to make debugging easier for developers, but these features should never be enabled for applications deployed in production.
Debug instructions or error messages can leak detailed information about the system, such as the application’s path, file names, or stack traces. The rule flags configurations and API calls that enable debug features, including stack trace printing, verbose logging, debug mode flags, and remote debugging endpoints.
Attackers can exploit debug output to learn internal application details, file paths, stack traces, and configuration data that can be leveraged to craft further attacks.
Debug features may expose remote debugging endpoints, profiling APIs, or detailed error pages that significantly increase the attack surface of the application.
The .NET Core framework offers multiple features which help during debugging.
Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage and
Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage are two of them. Make sure that those features are disabled in
production.
Use if (env.IsDevelopment()) to disable debug code.
Debug features should be disabled or guarded by environment checks before deploying to production.
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
namespace mvcApp
{
public class Startup2
{
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
// Those calls are Noncompliant because it seems that they will run in production
app.UseDeveloperExceptionPage(); // Noncompliant
app.UseDatabaseErrorPage(); // Noncompliant
}
}
}
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
namespace mvcApp
{
public class Startup2
{
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
// The following calls are ok because they are disabled in production
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
}
}
}
}