Active Debug Code

Draft Base

Structure: Simple

Description

The product is released with debugging code still enabled or active.

Common Consequences 1

Scope: ConfidentialityIntegrityAvailabilityAccess ControlOther

Impact: Bypass Protection MechanismRead Application DataGain Privileges or Assume IdentityVaries by Context

Active debug code can create unintended entry points or expose sensitive information. The severity of the exposed debug code will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At worst, as is often the case, the debug code will allow an attacker complete control over the web application and server, as well as confidential information that either of these access.

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 1

Phase: Build and CompilationDistribution

Remove debug code before deploying the application.

Demonstrative Examples 1

Debug code can be used to bypass authentication. For example, suppose an application has a login script that receives a username and a password. Assume also that a third, optional, parameter, called "debug", is interpreted by the script as requesting a switch to debug mode, and that when this parameter is given the username and password are not checked. In such a case, it is very simple to bypass the authentication process if the special behavior of the application regarding the debug parameter is known. In a case where the form is:

Code Example:Bad
HTML
html

Then a conforming link will look like:

Code Example:Informative
bash

An attacker can change this to:

Code Example:Attack
bash

Which will grant the attacker access to the site, bypassing the authentication process.

References 1

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

Katrina Tsipenyuk, Brian Chess, and Gary McGraw

NIST Workshop on Software Security Assurance Tools Techniques and Metrics • NIST

07-11-2005

https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

ID: REF-6

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

Not Technology-Specific : UndeterminedICS/OT : Undetermined

Modes of Introduction

Implementation

Build and Compilation

Operation

Related Attack Patterns

Alternate Terms

Leftover debug code

This term originates from Seven Pernicious Kingdoms

Related Weaknesses

ChildOf:

Improper Adherence to Coding Standards (CWE-710)

CanPrecede:

Insertion of Sensitive Information Into Debugging Code (CWE-215)

Taxonomy Mapping

7 Pernicious Kingdoms
OWASP Top Ten 2004
Software Fault Patterns

Notes

OtherIn J2EE a main method may be a good indicator that debug code has been left in the application, although there may not be any direct security impact.