[Forgot Password]
Login  Register Subscribe

30481

 
 

423868

 
 

256040

 
 

909

 
 

199103

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Leftover Debug Code

ID: 489Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

The application can be deployed with active debugging code that can create unintended entry points.

Applicable Platforms
Language Class: All

Time Of Introduction

  • Implementation
  • Operation

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
Integrity
Availability
Access_Control
Other
 		Bypass protection mechanism
Read application data
Gain privileges / assume identity
Varies by context
 		The severity of the exposed debug application will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At worst, as is often the case, the debug application will allow an attacker complete control over the web application and server, as well as confidential information that either of these access.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Build and Compilation
Distribution
 		 Remove debug code before deploying the application.
 		  

Relationships

Related CWETypeViewChain
CWE-489 ChildOf CWE-897 Category CWE-888  

Demonstrative Examples   (Details)

  1. Debug code can be used to bypass authentication. For example, suppose an application has a login script that receives a username and a password. Assume also that a third, optional, parameter, called "debug", is interpreted by the script as requesting a switch to debug mode, and that when this parameter is given the username and password are not checked. In such a case, it is very simple to bypass the authentication process if the special behavior of the application regarding the debug parameter is known. In a case where the form is:

White Box Definitions
A weakness where code path has a statement that defines an entry point into an application which exposes additional state and control information

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
7 Pernicious Kingdoms  Leftover Debug Code
 		 
OWASP Top Ten 2004 A10
 		Insecure Configuration Management
 		CWE_More_Specific
 

References:
None
CVE    3
CVE-2021-1381
CVE-2021-1398
CVE-2021-1391

© SecPod Technologies