Leftover Debug CodeID: 489 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
The application can be deployed with active debugging code that
can create unintended entry points.
Applicable PlatformsLanguage Class: All
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
ConfidentialityIntegrityAvailabilityAccess_ControlOther | Bypass protection
mechanismRead application
dataGain privileges / assume
identityVaries by context | The severity of the exposed debug application will depend on the
particular instance. At the least, it will give an attacker sensitive
information about the settings and mechanics of web applications on the
server. At worst, as is often the case, the debug application will allow
an attacker complete control over the web application and server, as
well as confidential information that either of these access. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Build and CompilationDistribution | | Remove debug code before deploying the application. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-489 ChildOf CWE-897 | Category | CWE-888 | |
Demonstrative Examples (Details)
- Debug code can be used to bypass authentication. For example,
suppose an application has a login script that receives a username and a
password. Assume also that a third, optional, parameter, called "debug", is
interpreted by the script as requesting a switch to debug mode, and that
when this parameter is given the username and password are not checked. In
such a case, it is very simple to bypass the authentication process if the
special behavior of the application regarding the debug parameter is known.
In a case where the form is:
White Box DefinitionsA weakness where code path has a statement that defines an entry point
into an application which exposes additional state and control
information
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
7 Pernicious Kingdoms | | Leftover Debug Code | |
OWASP Top Ten 2004 | A10 | Insecure Configuration Management | CWE_More_Specific |
References:None