Description
The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
A common development practice is to add “back door” code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the application.
Modes of Introduction:
– Implementation
Related Weaknesses
Consequences
Confidentiality, Integrity, Availability, Access Control, Other: Bypass Protection Mechanism, Read Application Data, Gain Privileges or Assume Identity, Varies by Context
The severity of the exposed debug application will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At worst, as is often the case, the debug application will allow an attacker complete control over the web application and server, as well as confidential information that either of these access.
Potential Mitigations
Phase: Build and Compilation, Distribution
Description:
Remove debug code before deploying the application.