CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.4)  

CWE-215: Information Leak Through Debug Information

Individual Definition in a New Window
Information Leak Through Debug Information
Status: Draft
Weakness ID: 215 (Weakness Variant)
+ Description
Summary

The application contains debugging code that can leak sensitive information to untrusted parties.

+ Time of Introduction
* Architecture and Design
* Implementation
* Operation
+ Applicable Platforms
Languages
All
+ Demonstrative Examples

The following code reads a "debugEnabled" system property and writes sensitive debug information to the client browser if true.

JSP Example:
<% if (Boolean.getBoolean("debugEnabled")) {
%>
User account number: <%= acctNo %>
<%
} %>
 
+ Observed Examples
ReferenceDescription
CGI script includes sensitive information in debug messages when an error is triggered.
FTP client with debug option enabled shows password to the screen.
Debug information infoleak of password.
+ Potential Mitigations

Do not leave debug statements that could be executed in the source code. Assure that all debug information is eradicated before releasing the software.

Architecture and Design

Compartmentalize your system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness ClassWeakness Class200Information Leak (Information Disclosure)
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory731OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory717OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
Weaknesses in OWASP Top Ten (2007) (primary)629
ParentOfWeakness VariantWeakness VariantWeakness Variant11ASP.NET Misconfiguration: Creating Debug Binary
Research Concepts (primary)1000
+ Relationship Notes

This overlaps other categories.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVER  Infoleak Using Debug Information
OWASP Top Ten 2007A6CWE More SpecificInformation Leakage and Improper Error Handling
OWASP Top Ten 2004A10CWE More SpecificInsecure Configuration Management
+ Content History
Submissions
PLOVER. (Externally Mined)
Modifications
Sean Eidemiller. Cigital. 2008-07-01. (External)
added/updated demonstrative examples
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
Veracode. 2008-08-15. (External)
Suggested OWASP Top Ten 2004 mapping
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Relationships, Relationship_Notes, Taxonomy_Mappings
CWE Content Team. MITRE. 2009-05-27. (Internal)
updated Demonstrative_Examples
Page Last Updated: May 26, 2009