ASP.NET application-level tracing enabled
Description
ASP.NET application-level tracing is a diagnostic feature that captures detailed execution information for each page request, including request parameters, session variables, server variables, and application state. When tracing is enabled with remote access (localOnly="false"), any external user can access the trace.axd endpoint to view comprehensive diagnostic data from recent requests without authentication. This configuration is commonly left enabled after development or debugging activities.
Remediation
Disable application-level tracing in production environments by modifying the web.config file. Locate the <trace> element within the <system.web> section and set the enabled attribute to "false". If tracing must remain enabled for troubleshooting purposes, ensure the localOnly attribute is set to "true" to restrict access to localhost only.
Recommended configuration for production:
<configuration>
<system.web>
<trace enabled="false" localOnly="true" pageOutput="false" />
</system.web>
</configuration>After making changes, restart the application pool or web server to ensure the configuration takes effect. Verify the fix by attempting to access https://yourdomain.com/trace.axd and confirming it returns a 404 or access denied error.