Information Technology SecurityTop 10 Application Security Vulnerabilities in Web.config Files - Part One
Author: Bryan Sullivan | Category: Security | Comments (0)Table of Contents
Top 10 Application Security Vulnerabilities in Web.config Files - Part One Leaving Tracing Enabled in Web-Based Applications Debugging Enabled Cookies Accessible through Client-Side Script Cookieless Session State EnabledDebugging Enabled
3. Debugging Enabled
Deploying Web-based applications in debug mode is a very common mistake. Virtually all Web-based applications require some debugging. Visual Studio 2005 will even automatically modify the Web.config file to allow debugging when you start to debug your application. And, since deploying ASP.NET applications is as simple as copying the files from the development folder into the deployment folder, it's easy to see how development configuration settings can accidentally make it into production, compromising application security.
Vulnerable configuration:
<configuration> <system.web> <compilation debug="true">
Secure configuration:
<configuration> <system.web> <compilation debug="false">
Like the first two application security vulnerabilities described in this list, leaving debugging enabled is dangerous because you are providing inside information to end users who shouldn't have access to it, and who may use it to attack your Web-based applications. For example, if you have enabled debugging and disabled custom errors in your application, then any error message displayed to an end user of your Web-based applications will include not only the server information, a detailed exception message, and a stack trace, but also the actual source code of the page where the error occurred.
Unfortunately, this configuration setting isn't the only way that source code might be displayed to the user. Here's a story that illustrates why developers shouldn't concentrate solely on one type of configuration setting to improve application security. In early versions of Microsoft's ASP.NET AJAX framework, some controls would return a stack trace with source code to the client browser whenever exceptions occurred. This behavior happened whenever debugging was enabled, regardless of the custom error setting in the configuration. So, even if you properly configured your Web-based applications to display non-descriptive messages when errors occurred, you could still have unexpectedly revealed your source code to your end users if you forgot to disable debugging.
To disable debugging, set the value of the "debug" attribute of the <compilation> element to "false." This is the default value of the setting, but as we will see in part two of this article, it's safer to explicitly set the desired value rather than relying on the defaults to protect application security.
