ASP.NET diagnostic page
Description
An ASP.NET diagnostic page has been detected that is publicly accessible without authentication. These pages are typically created by developers for testing and debugging purposes and expose detailed system information including environment variables, trace data, request details, server configuration, and application state. Such diagnostic tools should never be accessible in production environments or to unauthorized users.
Remediation
Immediately restrict access to the diagnostic page by implementing authorization controls in the web.config file. The recommended approach is to limit access to authorized administrative roles only and explicitly deny access to all other users.
Add the following configuration to your web.config file, replacing "dump.aspx" with the actual filename of the diagnostic page:
<location path="dump.aspx">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
Alternatively, remove the diagnostic page entirely from production environments. Diagnostic and debugging tools should only exist in development or staging environments that are not publicly accessible.