C Sharp Developer Exception Page In Production

Description

Detects when the .NET Core developer exception page middleware is enabled without proper environment checks, which could expose detailed error information including stack traces in production. This creates a security risk by potentially revealing sensitive implementation details to attackers.

Weakness:

234 - Technical information leak - Stacktrace

Category: Information Collection

Detection Strategy

• Identifies calls to UseDeveloperExceptionPage() method in the application startup code

• Verifies the method is called on an IApplicationBuilder parameter which indicates middleware configuration

• Checks if the call lacks proper environment conditional checks (like IsDevelopment())

• Reports a vulnerability when the developer exception page is enabled without environment restrictions

Vulnerable code example

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    // Vulnerable: Using developer exception page without proper environment check
    app.UseDeveloperExceptionPage();
    
    app.UseHttpsRedirection();
    app.UseRouting();
}

✅ Secure code example

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage(); // Only show detailed errors in development
    }
    else 
    {...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.