Debugging enabled in production
Need
Disabling debugging mode in production environment
Context
- Usage of C# 7.0 for modern language features and enhancements
- Usage of Microsoft.AspNetCore.Mvc for building web applications with ASP.NET Core
- Usage of Microsoft.AspNetCore.Builder for configuring and building ASP.NET Core applications
- Usage of Microsoft.AspNetCore.Hosting for hosting ASP.NET Core applications
- Usage of Microsoft.Extensions.DependencyInjection for Dependency Injection in .NET applications
- Usage of Microsoft.Extensions.Hosting for building and hosting .NET Core applications
Description
Non compliant code
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
}
In the above code, the Configure method is used to specify how the app responds to HTTP requests. The env.IsDevelopment() method is used to check if the environment is development or not. If it is, the app uses the DeveloperExceptionPage middleware which provides detailed error information useful for debugging.
The vulnerability here is that the DeveloperExceptionPage middleware is enabled in production. This middleware should not be used in production as it can leak sensitive information about the application and its configuration, such as potentially leaking sensitive data in exception messages and stack traces.
The DeveloperExceptionPage middleware should only be used in a development environment. In production, a user-friendly error page should be shown instead, which does not contain any sensitive information.
Steps
- Disable debugging mode in production environment.
- Remove or comment out the 'app.UseDeveloperExceptionPage()' line in the 'Configure' method.
- Configure a custom error handling middleware to handle exceptions in production environment.
- Remove or comment out the 'app.UseHsts()' line if not required.
- Ensure that sensitive error information is not exposed to the user.
- Regularly review and update the error handling mechanism to address any new vulnerabilities.
Compliant code
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
// Custom error handling middleware
app.UseExceptionHandler(builder =>
{
builder.Run(async context =>
{
context.Response.StatusCode = (int)HttpStatusCode.InternalServerError;
var error = context.Features.Get<IExceptionHandlerFeature>();
if (error != null)
{
await context.Response.WriteAsync(error.Error.Message).ConfigureAwait(false);
}
});
});
// app.UseHsts(); // Commented out as it may not be required
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
}
The updated code now includes a custom error handling middleware for the production environment. This middleware is configured in the Configure method of the Startup class.
In the production environment, the app.UseDeveloperExceptionPage() line has been removed to disable the debugging mode. This prevents the system from leaking information when an error is generated.
The app.UseExceptionHandler middleware is used to handle exceptions in the production environment. This middleware captures synchronous and asynchronous System.Exception instances from the pipeline and generates HTML error responses. A custom error handling middleware is configured to handle exceptions and return a generic error message to the user, without exposing sensitive error information.
The app.UseHsts() line has been commented out as it may not be required. This middleware adds the Strict-Transport-Security header to HTTP responses. This header is used by browsers to upgrade requests from HTTP to HTTPS. If your application is not using HTTPS, you can remove this line.
It's important to regularly review and update the error handling mechanism to address any new vulnerabilities.