ASP.NET Debug Mode Validation

Checking if an ASP.NET Server is Running in Debug Mode

Securing servers involves multiple steps, and one of the initial tasks is identifying vulnerabilities that can easily be exploited—often referred to as "low-hanging fruit." To get an overview of potential weaknesses quickly, vulnerability scanners are commonly used. However, sometimes relying on scanners isn't enough, and it's useful to perform manual checks. One such vulnerability I frequently encounter is ASP.NET servers running in debug mode, often due to negligence from developers.

In this guide, we’ll walk through a simple method to check whether an ASP.NET server is running in debug mode using basic tools over HTTP(s). While we won’t dive into the consequences of running in debug mode or how to exploit it, this method will help you quickly identify such a setup.

Tools Needed

We’re not going to use any advanced tools here—just some basic utilities. Depending on whether the server is using HTTPS or HTTP, we’ll need at least two tools:

• Netcat or Telnet for non-HTTPS (plain HTTP) servers

• OpenSSL for HTTPS servers

I'll be using Kali Linux in this example, but these commands should work on any Linux distribution with the appropriate tools installed.

Netcat and Telnet

If the target server doesn’t use HTTPS, connecting to it is straightforward with Netcat or Telnet. Here's how to use them:

$ nc host port

Or:

$ telnet host port

OpenSSL

For servers that use HTTPS, you'll need OpenSSL to establish a secure connection:

$ openssl s_client -connect host:port

After running this command, you should be connected, and your terminal will be ready to accept input.

Sending the HTTP Request

The goal here is to send an HTTP request that can trigger the ASP.NET debugger. To do this, we'll use the DEBUG HTTP verb, which is specific to Microsoft servers and is not part of the official HTTP standard. With this verb, we’ll issue a command to the server, asking it to stop debugging (if debugging is enabled).

Here’s the HTTP request format:

DEBUG / HTTP/1.1
Host: hostname_here
Command: stop-debug

In this request:

• The DEBUG / verb tells the server we're attempting to interact with the debugger.

• The Host: header identifies the target server.

• The Command: stop-debug instructs the debugger to stop, which is simply a way to verify the server's debug mode status.

Interpreting the Response

If the server is running in debug mode, you should receive an HTTP response like this:

HTTP/1.1 200 OK
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: blahblahblah
Content-Length: 2

OK

If the response is anything other than HTTP/1.1 200 OK, it indicates that the server is not running in debug mode—or you may need to check your request for any mistakes.

Conclusion

This method provides a simple and effective way to check if an ASP.NET server is running in debug mode, using basic tools and HTTP requests. By manually verifying the presence of the DEBUG verb in the server's response, you can determine whether debugging is enabled, helping to identify potential security risks.