The application can be deployed with active debugging code that can create unintended entry points.
A common development practice is to add "back door" code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the application.
Time of Introduction
Build and Compilation
Modes of Introduction
In web-based applications, debug code is used to test and modify web
application properties, configuration information, and functions. If a debug
application is left on a production server, this oversight during the
"software process" allows attackers access to debug functionality.
Technical Impact: Bypass protection
mechanism; Read application
data; Gain privileges / assume
identity; Varies by context
The severity of the exposed debug application will depend on the
particular instance. At the least, it will give an attacker sensitive
information about the settings and mechanics of web applications on the
server. At worst, as is often the case, the debug application will allow
an attacker complete control over the web application and server, as
well as confidential information that either of these access.
Debug code can be used to bypass authentication. For example,
suppose an application has a login script that receives a username and a
password. Assume also that a third, optional, parameter, called "debug", is
interpreted by the script as requesting a switch to debug mode, and that
when this parameter is given the username and password are not checked. In
such a case, it is very simple to bypass the authentication process if the
special behavior of the application regarding the debug parameter is known.
In a case where the form is: