Error Handling / ASP.net Tracing Enabled
ASP.NET tracing enabled is a vulnerability in web and API applications that can allow attackers to gain access to sensitive information stored in the application. This vulnerability is described in the Common Weakness Enumeration (CWE) directory as CWE-611: Improper Restriction of Excessive Authentication Attempts. It can also be found in the OWASP Testing Guide under the category of Error Handling.
This vulnerability can lead to the exposure of sensitive information, such as passwords, credit card numbers, and other data. Additionally, the attacker may be able to gain access to the application and its underlying services, which can cause various problems, from disruption of services to data theft. The risk of this vulnerability is assessed as high.
The best way to prevent this vulnerability is to disable ASP.NET tracing. This can be done by setting the “trace” attribute in the web.config file to false. Additionally, it is important to ensure that the application is configured to use secure authentication methods and to restrict access to sensitive information.
In the following example, the web.config file has been configured to disable ASP.NET tracing:
<configuration> <system.web> <trace enabled="false" /> </system.web> </configuration>