Language: VB.NET | Type: VULNERABILITY | Severity: Minor
Tags: cwe, error-handling, debug, user-experience, former-hotspot
Development tools and frameworks usually have options to make debugging easier for developers, but these features should never be enabled for applications deployed in production.
Debug instructions or error messages can leak detailed information about the system, such as the application’s path, file names, or stack traces. The rule flags configurations and API calls that enable debug features, including stack trace printing, verbose logging, debug mode flags, and remote debugging endpoints.
Attackers can exploit debug output to learn internal application details, file paths, stack traces, and configuration data that can be leveraged to craft further attacks.
Debug features may expose remote debugging endpoints, profiling APIs, or detailed error pages that significantly increase the attack surface of the application.
The .NET Core framework offers multiple features which help during debugging.
Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage and
Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage are two of them. Make sure that those features are disabled in
production.
Use If env.IsDevelopment() to disable debug code.
Debug features should be disabled or guarded by environment checks before deploying to production.
Imports Microsoft.AspNetCore.Builder
Imports Microsoft.AspNetCore.Hosting
Namespace MyMvcApp
Public Class Startup
Public Sub Configure(ByVal app As IApplicationBuilder, ByVal env As IHostingEnvironment)
' Those calls are Noncompliant because it seems that they will run in production
app.UseDeveloperExceptionPage() 'Noncompliant
app.UseDatabaseErrorPage() 'Noncompliant
End Sub
End Class
End Namespace
Imports Microsoft.AspNetCore.Builder
Imports Microsoft.AspNetCore.Hosting
Namespace MyMvcApp
Public Class Startup
Public Sub Configure(ByVal app As IApplicationBuilder, ByVal env As IHostingEnvironment)
If env.IsDevelopment() Then
' The following calls are ok because they are disabled in production
app.UseDeveloperExceptionPage()
app.UseDatabaseErrorPage()
End If
End Sub
End Class
End Namespace