The application can be deployed with active debugging code that can create unintended entry points.
Time of Introduction
Technical Impact: Bypass protection
mechanism; Read application
data; Gain privileges / assume
identity; Varies by context
The severity of the exposed debug application will depend on the
particular instance. At the least, it will give an attacker sensitive
information about the settings and mechanics of web applications on the
server. At worst, as is often the case, the debug application will allow
an attacker complete control over the web application and server, as
well as confidential information that either of these access.
Debug code can be used to bypass authentication. For example,
suppose an application has a login script that receives a username and a
password. Assume also that a third, optional, parameter, called "debug", is
interpreted by the script as requesting a switch to debug mode, and that
when this parameter is given the username and password are not checked. In
such a case, it is very simple to bypass the authentication process if the
special behavior of the application regarding the debug parameter is known.
In a case where the form is:
Which will grant the attacker access to the site, bypassing the
Phases: Build and Compilation; Distribution
Remove debug code before deploying the application.
A common development practice is to add "back door" code specifically
designed for debugging or testing purposes that is not intended to be
shipped or deployed with the application. In web-based applications, debug
code is used to test and modify web application properties, configuration
information, and functions. If a debug application is left on a production
server, an attacker may be able to use it to perform these tasks. When this
sort of debug code is left in the application, the application is open to
unintended modes of interaction. These back door entry points create
security risks because they are not considered during design or testing and
fall outside of the expected operating conditions of the application.
While it is possible to leave debug code in an application in any
language, in J2EE a main method may be a good indicator that debug code has
been left in the application, although there may not be any direct security