4

Turning off debug mode in ASP.NET is one of the things that's mentioned even in the most beginner tutorials on ASP.NET security. Unfortunately, in website projects debug mode is the only way to obtain line numbers with exception stacktraces: you can't just enable PDBs while leaving the website in release mode.

Line numbers in stacktraces are exceptionally useful in figuring out the cause of those once-in-a-blue-moon exceptions that only occur in production.

Our server uses custom error handlers, and has tracing disabled. Are there any other ways in which the debug mode can be harmful for security?

RomanSt
  • 1,207
  • 1
  • 15
  • 32
  • While I know nothing about ASP, can you not direct the verbose error messages to yourself via email rather than outputted in a browser? We do it this way at my large organisation who's system is written in PHP, and have done in the past in ColdFusion too. It also has the benefit of notifying you of exceptions that have been triggered by the public, in their special way they like to use things that we never bargained for. – i-CONICA Jul 08 '14 at 10:25
  • @i-CONICA the question is not about that at all, but rather about how to make the line numbers accessible for any such treatment in the first place. These errors are already logged to the database and never shown in the browser. – RomanSt Jul 08 '14 at 10:36
  • Fair enough. carry on :) – i-CONICA Jul 08 '14 at 10:38
  • Because you do not know what is going to fail you can not be sure what possible information will be shown to the user/attacker. As simple site with few namespaces may reveal nothing but a large code base with multiple namespaces show up apis to third parties and susceptible versions, not to mention internal code names for projects. – rob Jul 08 '14 at 10:55

1 Answers1

1

Releasing PDBs gives the ability to easily reverse engineer the source code of your programs. I'd imagine that for your setup you'd have the compiled code running on a server you own and protect. Additionally, stack trace information would be protected by the security of your database server.

The security issue comes from a similar reasoning for hashing passwords. If an attacker can get into your database or server than they'll have an easier time stealing sensitive information in your source code.

It's all a matter of your risk appetite. If this is just some homepage without sensitive code then you may wish to accept the risk of information spillage and code theft in lieu of faster debug/development time. However if the reverse is true I'd recommend sticking to release builds in production and using a debug server outside of your production network for tracking down issues.

Also, using a logging system such as nlog may also be a good solution to detect issues without having to release PDBs. You'll need to write enough logging code to cover all your bases but the effort can be worth it if releasing PDBs is too risky.

James Santiago
  • 876
  • 5
  • 11