← back to index

S4507 — Debugging features should not be enabled in production

Language: VB.NET  |  Type: VULNERABILITY  |  Severity: Minor

Tags: cwe, error-handling, debug, user-experience, former-hotspot

Development tools and frameworks usually have options to make debugging easier for developers, but these features should never be enabled for applications deployed in production.

Why is this an issue?

Debug instructions or error messages can leak detailed information about the system, such as the application’s path, file names, or stack traces. The rule flags configurations and API calls that enable debug features, including stack trace printing, verbose logging, debug mode flags, and remote debugging endpoints.

What is the potential impact?

Information disclosure

Attackers can exploit debug output to learn internal application details, file paths, stack traces, and configuration data that can be leveraged to craft further attacks.

Increased attack surface

Debug features may expose remote debugging endpoints, profiling APIs, or detailed error pages that significantly increase the attack surface of the application.

How to fix it

The .NET Core framework offers multiple features which help during debugging. Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDeveloperExceptionPage and Microsoft.AspNetCore.Builder.IApplicationBuilder.UseDatabaseErrorPage are two of them. Make sure that those features are disabled in production.

Use If env.IsDevelopment() to disable debug code.

Code examples

Debug features should be disabled or guarded by environment checks before deploying to production.

Noncompliant code example

Imports Microsoft.AspNetCore.Builder
Imports Microsoft.AspNetCore.Hosting

Namespace MyMvcApp
    Public Class Startup
        Public Sub Configure(ByVal app As IApplicationBuilder, ByVal env As IHostingEnvironment)
            ' Those calls are Noncompliant because it seems that they will run in production
            app.UseDeveloperExceptionPage() 'Noncompliant
            app.UseDatabaseErrorPage() 'Noncompliant
        End Sub
    End Class
End Namespace

Compliant solution

Imports Microsoft.AspNetCore.Builder
Imports Microsoft.AspNetCore.Hosting

Namespace MyMvcApp
    Public Class Startup
        Public Sub Configure(ByVal app As IApplicationBuilder, ByVal env As IHostingEnvironment)
            If env.IsDevelopment() Then
                ' The following calls are ok because they are disabled in production
                app.UseDeveloperExceptionPage()
                app.UseDatabaseErrorPage()
            End If
        End Sub
    End Class
End Namespace

Resources

Standards