ABSTRACT

Trace debug information helps attackers learn about the system and plan a form of attack.

EXPLANATION

ASP.NET applications can be configured to output trace debugging information. Trace output contains details about the request made to the current page, header information, methods and controls used on the page and the active session state. Attackers can leverage the additional information they gain from trace output to mount attacks targeted on the framework, database, or other resources used by the application.

Trace information is enabled at the page level by setting the Trace attribute of the <page> directive to true or on the application level by adding a trace element in the web.config file and setting its enabled attribute to true.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management

[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A6 Information Leakage and Improper Error Handling

[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration

[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3620 CAT II

[5] Standards Mapping - FIPS200 - (FISMA) CM

[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 11

[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.10

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.5

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.6

[11] Robert Walling The Basics of .NET Tracing