Debug Mode

In some instances debug mode have been enabled and on an ASP.NET application which allow for an attacker to receive additional information about the application. The Command: stop-debug header is essential for this to work.

• Portswigger Link

Execution

curl -ikX 'DEBUG' -H "Command: stop-debug" http://example.com/

DEBUG / HTTP/1.1
Host: example.com
Command: stop-debug

If the website returns 200 OK, then debug mode is enabled. The website will return 403 Forbidden if debug is turned off.

HTTP/1.1 200 OK
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: true
Access-Control-Allow-Credentials: IE=11
Date: Fri, 08 Jul 2022 11:39:56 GMT
Content-Length: 2

OK