I am reading a report from a “web application security” company, whom have been scanning a few websites of the company I am working for. It appears from the report – which seems written without any human involvement – that several attempts where made to break our sites using requests like this:
DEBUG /some_path/some_unexisting_file.aspx
Accept: */*
More-Headers: ...
The result from our server surprises me:
HTTP/1.1 200 OK
Headers: ...
As DEBUG does not seem to be mentioned anywhere in the HTTP 1.1 specification I would have expected the result to be 400 Bad Request or 405 Method Not Allowed.
From earlier question on SO, I have learned that the DEBUG verb is used in some sort of remote debugging of ASP.NET applications, but not many details are available in that question or its answers.
Exactly what is the DEBUG verb used for? Why does the application answer 200 OK for invalid URLs when using this verb? Is this a security problem? Are there any potential security problems surrounding the DEBUG verb, that ASP.NET developers/system administrators should be aware of?
Any insights/advice/references will be appreciated.
http://support.microsoft.com/kb/937523
It uses Windows authentication, and DCOM to actually do the debugging though – so I’m not aware of the DEBUG verb itself being a large security risk (obviously, if you’re allowing RPC traffic, then you’ve got bigger problems) or of any exploits. UrlScan does block it by default, though.
I’d probably put a network sniffer on it to check what information leaks though.