Abstract:

Debugging messages help attackers learn about the system and plan a form of attack.

Explanation:

ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and

should not be used in production environments. The debug attribute of the <compilation> tag defines whether compiled binaries

should include debugging information.

The use of debug binaries causes an application to provide as much information about itself as possible to the user. Debug

binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to

production. Attackers can leverage the additional information they gain from debugging output to mount attacks targeted on the

framework, database, or other resources used by the application.

Recommendations:

Always compile production binaries without debug enabled. This can be accomplished by setting the debug attribute to false on

the <compilation> tag in your application's configuration file, as follows:

<configuration>

<compilation debug="false">

...

</compilation>

...

</configuration>

Setting the debug attribute to false is necessary for creating a secure application. However, it is important that your application

does not leak important system information in other ways. Ensure that your code does not unnecessarily expose system

information that could be useful to an attacker.

ASP.NET Misconfiguration: Debug Information的更多相关文章

  1. TFS Build Error: CSC : fatal error CS0042: Unexpected error creating debug information file 'xxxx.PDB'

    CSC : fatal error CS0042: Unexpected error creating debug information file 'xxxx.PDB' -- 'c:\Builds\ ...

  2. docker-compose up 启动容器服务超时错误:ERROR: An HTTP request took too long to complete. Retry with --verbose to obtain debug information.

    问题: 本人正在使用docker运行一个中型的项目,包含40多个微服务及相关的docker.由于docker-compose up 同时启动的服务过多,超过了请求HTTP限制的60s时间仍未全部成功启 ...

  3. ASP.NET Misconfiguration: Missing Error Handling

    Abstract: An ASP .NET application must enable custom error pages in order to prevent attackers from ...

  4. ASP.NET Misconfiguration: Excessive Session Timeout

    Abstract: An overly long authentication timeout gives attackers more time to potentially compromise ...

  5. ASP.NET Misconfiguration: Request Validation Disabled

    Abstract: Use the ASP.NET validation framework to prevent vulnerabilities that result from unchecked ...

  6. The following module was built either with optimizations enabled or witherout debug information

    出现这个问题的原因是这个程式有做版控,服务器上的版本比本机版本小 解决方式为:删除服务器上的版控或者本机版本改成与服务器一致即可

  7. ERROR: An HTTP request took too long to complete. Retry with --verbose to obtain debug information.

    docker-compose 的问题 要改环境变量 xed ~/.profile export COMPOSE_HTTP_TIMEOUT=500 export DOCKER_CLIENT_TIMEOU ...

  8. ASP里面令人震撼地自定义Debug类(VBScript)

    不知道用ASP写代码的朋友是不是和我有一样的感受,ASP中最头疼的就是调试程序的时候不方便 我想可能很多朋友都会用这样的方法“response.write ”,然后输出相关的语句来看看是否正确.前几天 ...

  9. Mac OS X 上安装 ASP.NET 5

    在Mac OS X Yosemite 10.10.3 中搭建第一个 ASP.NET 5 Web 项目 终于有时间在 Mac 上安装一下 ASP.NET 5,网上有许多教程,但是多数的时间比较早了,版本 ...

随机推荐

  1. Inno Setup怎样创建一个自动申请管理员身份运行的快捷

    如果你使用的是 Unicode 版本的 Inno Setup,那么以下是更为专业的解决方法.    这是 mlaan 提及的再一种方法. QUOTE(     CodeAutomation3.iss) ...

  2. MySQL 使用笔记

    1. How to export the database of mysql go to command line,  use "CMD" cd C:\Program Files\ ...

  3. NIO源码阅读

    自己对着源码敲一遍练习,写上注释.发现NIO编程难度好高啊..虽然很复杂,但是NIO编程的有点还是很多: 1.客户端发起的连接操作是异步的,可以通过在多路复用器注册OP_CONNECTION等待后续结 ...

  4. Linux查找含有某字符串的所有文件

    转自:http://151wqooo.blog.51cto.com/2610898/1162118 如果你想在当前目录下 查找"hello,world!"字符串,可以这样: gre ...

  5. Oracle定时查询结果输出到指定的log文件

    最近有个监控项目需要采集数据库信息,原来方案是写个sql脚本,每个脚本放一个查询语句然后通过操作系统层su到oracle用户通过sqlpus执行这个.sql,然后加到crontab定时执行.但是这个问 ...

  6. Maven如何传递系统属性变量到TestNG

    本文介绍如何传递Maven pom.xml里的系统属性参数到TestNG,文章沿用笔者一贯的风格--例子驱动. 解决什么问题 1. 用过WebDriver的都知道,当你启动Chrome或IE的时候都需 ...

  7. NPOI Excel 单元格背景颜色对照表

    NPOI Excel 单元格颜色对照表,在引用了 NPOI.dll 后可通过 ICellStyle 接口的 FillForegroundColor 属性实现 Excel 单元格的背景色设置,FillP ...

  8. XE6 & IOS开发之免证书真机调试(1):颁发属于自己的App签名证书(有图有真相)

    网上能找到的关于Delphi XE系列的移动开发的相关文章甚少,本文尽量以详细的图文内容.傻瓜式的表达来告诉你想要的答案. 原创作品,请尊重作者劳动成果,转载请注明出处!!! 1.自己给自己颁发证书, ...

  9. 推荐几个最好用的CRM软件,本人亲测

    CRM是英文Customer Relationship Management 的简写,一般译作“客户关系管理”.CRM最早产生于美国,由Gartner Group 首先提出的CRM这个概念的.20世纪 ...

  10. 使用 Google Web Fonts

    Google Fonts 的介绍:Google Fonts 并不是简单的字体下载站 Google Fonts 地址:https://www.google.com/fonts 左上角可以输入查找的字体名 ...