Information Leak Through Debug Information
Weakness ID: 215 (Weakness Variant)Status: Draft
+ Description

Description Summary

The application contains debugging code that can leak sensitive information to untrusted parties.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms

Languages

All

+ Demonstrative Examples

Example 1

The following code reads a "debugEnabled" system property and writes sensitive debug information to the client browser if true.

(Bad Code)
Example Language: JSPĀ 
<% if (Boolean.getBoolean("debugEnabled")) {
%>
User account number: <%= acctNo %>
<%
} %>

+ Observed Examples
ReferenceDescription
CVE-2004-2268Debug information infoleak of password.
CVE-2002-0918CGI script includes sensitive information in debug messages when an error is triggered.
CVE-2003-1078FTP client with debug option enabled shows password to the screen.
+ Potential Mitigations

Do not leave debug statements that could be executed in the source code. Assure that all debug information is eradicated before releasing the software.

Phase: Architecture and Design

Compartmentalize your system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class200Information Exposure
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory717OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory731OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ParentOfWeakness VariantWeakness Variant11ASP.NET Misconfiguration: Creating Debug Binary
Research Concepts (primary)1000
+ Relationship Notes

This overlaps other categories.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInfoleak Using Debug Information
OWASP Top Ten 2007A6CWE More SpecificInformation Leakage and Improper Error Handling
OWASP Top Ten 2004A10CWE More SpecificInsecure Configuration Management
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-08-15VeracodeExternal
Suggested OWASP Top Ten 2004 mapping
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Relationship Notes, Taxonomy Mappings
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative Examples
Back to top