Is there a security risk running web apps in debug="true"?

Question

There are plenty of performance reasons why apps shouldn't be run in debug="true" mode (good rundown from Scott Gu), but are there any attack vectors exposed by this practice? It's not a question of "should you or shouldn't you", that much is clear, it's a question of whether it introduces any specific vulnerabilities.

I'm inclined to think that the ability to remotely detect it combined with the known performance issues could lead to an exploit against service availability but I'd like something a bit more definite. Does anyone know of a specific attack that can be orchestrated against an app running debug="true"?

Answer 1

I've had some interesting feedback on this question, particularly over on the Security Stack Exchange. There have been lots of responses related to stack traces (a custom errors issue, not a debug issue) and performance (not [directly] a security issue).

The most compelling response is that conditional compilation constants (#if DEBUG...) could cause unexpected behavior, but this again is more of a functionality risk (unintended code being executed in a live environment), than a security risk.

I suspect debug mode may open some pathways to other exploits based on the performance overhead it places on the app and the ability to remotely detect it (service continuity risk, perhaps). I've written up my conclusions as part of OWASP Top 10 for .NET developers part 6: Security Misconfiguration.

So for the sake of completeness, the answer appears to be that there is no clear security risk from running in debug mode, but it certainly isn't a good idea for production apps given the factors mentioned above.

Answer 2

That depends somewhat upon what code there is surrounded by DEBUG conditional compiles.

Do you have any debug only code that could be exploited? It is not uncommon to find 'carte blanche' admin permissions given in debug mode...

If you have zero debug only code, then the only thing I can think of is possibly publishing too much stack error information in web error reports.

The point is somewhat moot if your application has good (level configurable) logging, such as log4Net.