CWE-11: ASP.NET Misconfiguration: Creating Debug Binary


Debugging messages help attackers learn about the system and plan a form of attack.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

Extended Description

ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production.

Example Vulnerable Codes

Example - 1

The file web.config contains the debug mode setting. Setting debug to "true" will let the browser display debugging information.

<compilationdefaultLanguage="c#"debug="true"/>...<system.web></system.web><?xml version="1.0" encoding="utf-8" ?><configuration></configuration>

Change the debug mode to false when the application is deployed into production.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

Visit for more details.