9

We have a bunch of websites/applications with debug="true" in their web.config files.

We want to override this at a server level with retail="true", as described here

However, these sites still respond to the http DEBUG verb with a 200, which is at least one difference.

I would like to know if this is the only one or if there are other (perhaps more insecure) implications of relying on retail="true"

There is some similar question here, but no clear answer to the question I am asking.

Community
  • 1
  • 1
Kram
  • 4,099
  • 4
  • 39
  • 60

1 Answers1

5

Retail mode definitely disables debug mode. It also turns off tracing and sets custom errors on - are you seeing this? Have you had a reboot? How are you issuing the debug request?

Troy Hunt
  • 20,345
  • 13
  • 96
  • 151
  • 1
    Yes, it seems to... as I said, I have found (well actually, the Penetration Testing Firm we have employed found it) that even in retail mode, DEBUG verbs are still acknowledged by applications with debug="true" in their config... and I really wanted a definitive on whether this is the *only* difference. If it *is*, then I can be sure we're *just* as safe as if we had debug="false" in our config (and please noone ask "why don't you just set debug="false" in your config!!!!!!!) – Kram Jul 29 '11 at 10:58
  • Damn, I was going to say you should try turning it off in the Web.config and see what result you get. But I also get the impression you haven't tested this yourself - can you reproduce what your pen test people are saying by using a debug request yourself? And have you had a reboot? As a side note, I'm yet to find an actual vulnerability from running in debug mode: http://security.stackexchange.com/questions/1180/is-there-a-security-risk-running-web-apps-in-debug-true – Troy Hunt Jul 29 '11 at 21:23
  • I have indeed tried all combinations. I am, however, not aware of a *complete list* of "features" that are enabled when debug="true" is specificed... otherwise I could check to see which of these is disabled when retail="true" is specified... all do know is this one different that I've mentioned, and that the Pen test people have pointed out... however, they are vague about the implications, suggesting that we have debug turned on and that it could leak resources or code... however, I'm trying to convince the powers that be that we *don't* have debug turned on when retail="true" – Kram Aug 01 '11 at 10:39
  • 1
    After doing some extensive testing myself I can confirm that ASP.NET custom errors are always set to On in retail mode, even if your web.config has them set to Off or RemoteOnly. – Tom Winter Dec 26 '12 at 20:26
  • 2
    One item that retail mode does not do WRT debug is re-enable execution timeout. With retail=true and debug=true the page execution will not timeout. [See the note in the MS doc](https://msdn.microsoft.com/en-us/library/ms228298(v=vs.100).aspx) – Gridly Apr 07 '16 at 18:59