Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ASP.NET / IIS Remote Debugging - DEBUG verb

Tags:

http

asp.net

iis

debugging

remote-debugging

I'm looking for details on the DEBUG HTTP verb.
It's clear to me that this is used for remote debugging - though I'm not even sure if it's for IIS or ASP.NET...

If I want to access this interface directly - i.e. not through Visual Studio, but sending these commands manually - what do I need to know? What are the commands for it?
I'm also interested in misuse cases, if you have any information on that...

like image 608
AviD Avatar asked Jan 07 '09 00:01

AviD

1 Answers

Just for completeness, consolidating here the answers from what-is-the-non-standard-http-verb-debug-used-for-in-asp-net-iis: (thanks @Mark, @Jørn).

http://support.microsoft.com/kb/937523

When the client tries to automatically attach the debugger in an ASP.NET 2.0 application, the client sends a HTTP request that contains the DEBUG verb. This HTTP request is used to verify that the process of the application is running and to select the correct process to attach.

The DEBUG verb is used to start/stop remote debugging sessions. More specifically, a DEBUG request can contain a Command header with value start-debug and stop-debug, but the actual debugging is done via an RPC protocol.

It uses Windows authentication, and DCOM to actually do the debugging though (obviously, if you're allowing RPC traffic, then you've got bigger problems) or of any exploits. UrlScan does block it by default, though.

However, poking an ASP.NET website with the DEBUG requests can be used to reveal if the web.config has <compilation debug="true">. The test can be performed with telnet, WFetch or similar, by sending a request like this:

DEBUG /foo.aspx HTTP/1.0
Accept: */ *
Host: www.example.com
Command: stop-debug

Depending on whether debugging is enabled or not, you will get either 200 OK or 403 Forbidden.

It is generally accepted that you should never have <compilation debug="true"/> in a production environment, as it has serious implications on the performance of the website. I am not sure if having debugging enabled opens any new attack vectors, unless RPC traffic is enabled as well, in which case you have more serious problems anyway.

like image 196
AviD Avatar answered Sep 25 '22 02:09

AviD
Sign in to Comment

Related questions

HttpClient not sending authorization Bearer token in .Net Core 3.1
live asp.net web.config settings
What is the best way to send large batches of emails in ASP.NET?
ASP.NET Custom Controls - Alternatives to PostBack?
Free open source asp.net file managers? [closed]
Long-running code within asp.net process
How do I integrate the ASP .Net Model View Presenter (MVP) pattern and static page methods marked as [WebMethod]?
Experiences using software load balancing vs. a hardware load balancer?
Set ContentPlaceHolder data through code ASP.NET
How do I prevent exceptions from half-loaded pages' form submission while using asp.net event validation?
ASP.NET - What is the correct approach to JSON based web services with jQuery?
VB.NET and ASP.NET DLL line numbers don't appear in production error logs
Simple role authentication in asp.net
How can I get the size of an object in the HttpRuntime.Cache?
Implementing a search page using url parameters in ASP.NET and ASP.NET MVC
Free tool or library to convert Tiff files to pdf in .Net [closed]
Do I need to unsubscribe from (manually subscribed to) events in asp.net?
How to allow sorting of a gridview?
Disable aspnet.friendlyurl's mobile redirect for tablets
Publish error: Could not load file or assembly 'Microsoft.Web.XmlTransform', Version=1.4.0.0, Culture=neutral, etc. or one of its dependencies

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!