CWE-11: ASP.NET Misconfiguration: Creating Debug Binary
Weakness ID: 11
Debugging messages help attackers learn about the system and plan a form of attack.
ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production.
Time of Introduction
Technical Impact: Read application
Attackers can leverage the additional information they gain from
debugging output to mount attacks targeted on the framework, database,
or other resources used by the application.
The file web.config contains the debug mode setting. Setting debug
to "true" will let the browser display debugging information.
<?xml version="1.0" encoding="utf-8" ?>
Change the debug mode to false when the application is deployed into
Phase: System Configuration
Avoid releasing debug binaries into the production environment. Change
the debug mode to false when the application is deployed into
The debug attribute of the <compilation> tag defines whether
compiled binaries should include debugging information. The use of debug
binaries causes an application to provide as much information about itself
as possible to the user.