Configuration Management / ASP.net Debugging Enabled
ASP.NET debugging enabled is a configuration management vulnerability (CWE-534) that occurs in web and API applications. It occurs when ASP.NET debugging is enabled in a production environment, allowing attackers to access debugging information and potentially exploit the web application. According to the OWASP Testing Guide, "Debugging information can provide an attacker with additional insight into the system and can be used to refine an attack".
This vulnerability is considered a medium risk with a CVSS score of 5.5. It can lead to a security breach if an attacker is able to access the debugging information. Debugging information can provide an attacker with additional insight into the system and can be used to refine an attack.
The solution to this vulnerability is to disable debugging in a production environment. This can be done by setting the debug attribute in the web.config file to false. Additionally, setting the "compilation debug" attribute to false and removing the debug symbols from the application will further reduce the risk of this vulnerability.
The following example of code from CVE-2017-1437 shows how the debug attribute can be set to false in the web.config file: