AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Unsafe Debug Directive

Detailed error or normal process messages may allow attackers to deduce internal details of an application that will leverage further attacks

Severity

Low

Fix Cost

Low

Trust Level

High

Presenting detailed error messages is always advantageous for developers to understand the root reason of a development or a production bug.

However, the same is true for attackers. An attacker presented a detailed exception will abuse it for a huge range of vulnerabilities; all injection types of vulnerabilities, padding oracle, business logic problems, mass assignment etc.

ASP.NET has a configuration directive, compilation, whose debug attribute value specifies whether to compile debug binaries rather than retail binaries if set to true, which is the default value. Debug binaries giveaway detailed debugging messages.

Here’s an insecure Web.config debug directive;

              

              <configuration>
              <system.web>
              <compilation debug="true" targetFramework="4.6.1" />
              ...  
 
                 
            

Given the above code, if CustomClass doesn’t override the Equals method, the equality check will fail. However, the intended semantic might tell that they are equal because of the same first name and age.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!