CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-215: Information Exposure Through Debug Information

 
Information Exposure Through Debug Information
Weakness ID: 215 (Weakness Variant)Status: Draft
+ Description

Description Summary

The application contains debugging code that can expose sensitive information to untrusted parties.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect

Technical Impact: Read application data

+ Demonstrative Examples

Example 1

The following code reads a "debugEnabled" system property and writes sensitive debug information to the client browser if true.

(Bad Code)
Example Language: JSP 
<% if (Boolean.getBoolean("debugEnabled")) {
%>
User account number: <%= acctNo %>
<%
} %>

+ Observed Examples
ReferenceDescription
Password exposed in debug information.
CGI script includes sensitive information in debug messages when an error is triggered.
FTP client with debug option enabled shows password to the screen.
+ Potential Mitigations

Phase: Implementation

Do not leave debug statements that could be executed in the source code. Assure that all debug information is eradicated before releasing the software.

Phase: Architecture and Design

Strategy: Separation of Privilege

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class200Information Exposure
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory717OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory731OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory895SFP Cluster: Information Leak
Software Fault Pattern (SFP) Clusters (primary)888
ChildOfCategoryCategory933OWASP Top Ten 2013 Category A5 - Security Misconfiguration
Weaknesses in OWASP Top Ten (2013) (primary)928
ParentOfWeakness VariantWeakness Variant11ASP.NET Misconfiguration: Creating Debug Binary
Research Concepts (primary)1000
+ Relationship Notes

This overlaps other categories.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInfoleak Using Debug Information
OWASP Top Ten 2007A6Information Leakage and Improper Error Handling
OWASP Top Ten 2004A10Insecure Configuration Management
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
added/updated demonstrative examples
2008-07-01CigitalExternal
updated Time_of_Introduction
2008-08-15VeracodeExternal
Suggested OWASP Top Ten 2004 mapping
2008-09-08MITREInternal
updated Relationships, Relationship_Notes, Taxonomy_Mappings
2009-05-27MITREInternal
updated Demonstrative_Examples
2010-09-27MITREInternal
updated Description, Name, Observed_Examples
2011-06-01MITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2012-05-11MITREInternal
updated Relationships, Taxonomy_Mappings
2012-10-30MITREInternal
updated Potential_Mitigations
2014-06-23MITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2010-09-27Information Leak Through Debug Information
Page Last Updated: June 23, 2014