CWE-11 ASP.NET误配置:创建Debug模式二进制
ASP.NET Misconfiguration: Creating Debug Binary
结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: unkown
基本描述
Debugging messages help attackers learn about the system and plan a form of attack.
扩展描述
ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production.
相关缺陷
- cwe_Nature: ChildOf cwe_CWE_ID: 215 cwe_View_ID: 1000 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Name': 'ASP.NET', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Confidentiality | Read Application Data | Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the framework, database, or other resources used by the application. |
可能的缓解方案
System Configuration
策略:
Avoid releasing debug binaries into the production environment. Change the debug mode to false when the application is deployed into production.
示例代码
例
The file web.config contains the debug mode setting. Setting debug to "true" will let the browser display debugging information.
bad XML
<configuration>
defaultLanguage="c#"
debug="true"
/>
...
Change the debug mode to false when the application is deployed into production.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| 7 Pernicious Kingdoms | ASP.NET Misconfiguration: Creating Debug Binary |