1. Support Center
  2. Issue Definitions
  3. ASP.NET debugging enabled

ASP.NET debugging enabled

Description: ASP.NET debugging enabled

ASP.NET allows remote debugging of web applications, if configured to do so. By default, debugging is subject to access control and requires platform-level authentication.

If an attacker can successfully start a remote debugging session, this is likely to disclose sensitive information about the web application and supporting infrastructure that may be valuable in formulating targeted attacks against the system.

Remediation: ASP.NET debugging enabled

To disable debugging, open the Web.config file for the application, and find the <compilation> element within the <system.web> section. Set the debug attribute to "false". Note that it is also possible to enable debugging for all applications within the Machine.config file. You should confirm that the debug attribute in the <compilation> element has not been set to "true" within the Machine.config file.

It is strongly recommended that you refer to your platform's documentation relating to this issue, and do not rely solely on the above remediation.


Vulnerability classifications

Typical severity


Type index (hex)


Type index (decimal)


Burp Scanner

This issue - and many more like it - can be found using our web vulnerability scanner

Read more

Get Burp

Scan your web application from just $449.00

Find out more