10

There are plenty of performance reasons why apps shouldn't be run in debug="true" mode (good rundown from Scott Gu), but are there any attack vectors exposed by this practice? It's not a question of "should you or shouldn't you", that much is clear, it's a question of whether it introduces any specific vulnerabilities.

I'm inclined to think that the ability to remotely detect it combined with the known performance issues could lead to an exploit against service availability but I'd like something a bit more definite. Does anyone know of a specific attack that can be orchestrated against an app running debug="true"?

Community
  • 1
  • 1
Troy Hunt
  • 20,345
  • 13
  • 96
  • 151
  • 1
    Why not ask this over on the [SecuritySE](http://security.stackexchange.com/)? – AviD Dec 12 '10 at 08:44
  • Good point, I didn't put there originally as I thought I'd get the answer here. I've sent a copy over: http://security.stackexchange.com/questions/1180/is-there-a-security-risk-running-web-apps-in-debug-true – Troy Hunt Dec 16 '10 at 00:58
  • I have seen FULL connection strings (including passwords) exposed in the past where the application was running in Debug mode, Custom Errors were off and the connection failed - in this case not because of a problem with the database server, but when another server acting as sole DNS server for the host was decommissioned. Enabling debug mode substantially increases the risk of sensitive internal application information disclosure, but then you already knew that. I like the analogy with crashes not being caused by one event, but a series that combine to give the (often tragic) outcome. – pwdst Oct 23 '13 at 13:20

3 Answers3

5

I've had some interesting feedback on this question, particularly over on the Security Stack Exchange. There have been lots of responses related to stack traces (a custom errors issue, not a debug issue) and performance (not [directly] a security issue).

The most compelling response is that conditional compilation constants (#if DEBUG...) could cause unexpected behavior, but this again is more of a functionality risk (unintended code being executed in a live environment), than a security risk.

I suspect debug mode may open some pathways to other exploits based on the performance overhead it places on the app and the ability to remotely detect it (service continuity risk, perhaps). I've written up my conclusions as part of OWASP Top 10 for .NET developers part 6: Security Misconfiguration.

So for the sake of completeness, the answer appears to be that there is no clear security risk from running in debug mode, but it certainly isn't a good idea for production apps given the factors mentioned above.

Community
  • 1
  • 1
Troy Hunt
  • 20,345
  • 13
  • 96
  • 151
3

That depends somewhat upon what code there is surrounded by DEBUG conditional compiles.

Do you have any debug only code that could be exploited? It is not uncommon to find 'carte blanche' admin permissions given in debug mode...

If you have zero debug only code, then the only thing I can think of is possibly publishing too much stack error information in web error reports.

The point is somewhat moot if your application has good (level configurable) logging, such as log4Net.

Mitch Wheat
  • 295,962
  • 43
  • 465
  • 541
  • Good point, although you could argue that's more a question of vulnerabilities in the conditional logic in the app than a vulnerability in debug mode per se. The question is not related to any particular app, it's a general question about whether debug is only a perf issue or a potential security issue as well. – Troy Hunt Dec 12 '10 at 07:03
  • @Troy Hunt: True, but they go hand in hand. I guess this would form part of any code review... – Mitch Wheat Dec 12 '10 at 07:07
0

I think you should transfer all debugging operations to a custom-made console to prevent debgugging hints make attackers able to misuse vulnerabilities of you app.

Farshid
  • 5,134
  • 9
  • 59
  • 87