Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. MiniProfiler exposure

Author: Government Digital Service

MiniProfiler exposure

What this means

MiniProfiler is a tool that is used by developers to identify and troubleshoot an application’s performance by providing detailed information about execution times of various modules within an application.

Why this is a problem

When MiniProfiler is unintentionally exposed in production environments, it can reveal sensitive debugging information that include:

  • information disclosures – attackers can gain visibility into database queries, which may reveal table or column names, and stack traces which can pinpoint vulnerabilities or misconfigurations
  • exploitation opportunities – attackers can use the information to craft SQL Injection or Command Injection attacks and exploit performance bottlenecks to disrupt application availability

This unintended exposure can give attackers valuable insights into the application’s backend architecture, making them able to identify potential vulnerabilities.

How to check if the problem is there

To determine if MiniProfiler is exposed in your production environment, you can:

  • review application configuration
  • carry out manual testing

Review Application Configuration

Verify if MiniProfiler is enabled in production through configuration files or environment variables.

Check for code that conditionally enables MiniProfiler, ensuring it is limited to non-production environments.

Manual Testing

Check your application’s pages for any visible MiniProfiler UI elements.

Look for performance metrics, SQL query execution times, and other debugging details displayed at the bottom or side of your web pages.

How to fix this

If MiniProfiler is required within your environment then there is always a risk of exposure.

This exposure can be minimized by taking preventative measures including:

  • implement conditional loading – carry out a check which disables the profiler when it’s deployed in a production environment
  • configure access controls – configure the profiler to only display information to authorised users
  • restrict collection and display of sensitive data – configure the profiler to exclude collecting and displaying of sensitive data

Make sure that you keep MiniProfiler up-to-date with the latest supported version, as newer releases often include security fixes and configuration improvements.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now