Configuration Management / ASP.net Debugging Enabled

Description

ASP.NET debugging enabled is a configuration management vulnerability (CWE-534) that occurs in web and API applications. It occurs when ASP.NET debugging is enabled in a production environment, allowing attackers to access debugging information and potentially exploit the web application. According to the OWASP Testing Guide, "Debugging information can provide an attacker with additional insight into the system and can be used to refine an attack".

Risk

This vulnerability is considered a medium risk with a CVSS score of 5.5. It can lead to a security breach if an attacker is able to access the debugging information. Debugging information can provide an attacker with additional insight into the system and can be used to refine an attack.

Solution

The solution to this vulnerability is to disable debugging in a production environment. This can be done by setting the debug attribute in the web.config file to false. Additionally, setting the "compilation debug" attribute to false and removing the debug symbols from the application will further reduce the risk of this vulnerability.