The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
A common development practice is to add "back door" code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the product. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the product.
Threat Mapped score: 3.0
Industry: Finiancial
Threat priority: P2 - Serious (High)
N/A
| Phase | Note |
|---|---|
| Implementation | In web-based applications, debug code is used to test and modify web application properties, configuration information, and functions. If a debug application is left on a production server, this oversight during the "software process" allows attackers access to debug functionality. |
| Build and Compilation | N/A |
| Operation | N/A |
Intro: Debug code can be used to bypass authentication. For example, suppose an application has a login script that receives a username and a password. Assume also that a third, optional, parameter, called "debug", is interpreted by the script as requesting a switch to debug mode, and that when this parameter is given the username and password are not checked. In such a case, it is very simple to bypass the authentication process if the special behavior of the application regarding the debug parameter is known. In a case where the form is:
Body: Then a conforming link will look like:
<FORM ACTION="/authenticate_login.cgi"> <INPUT TYPE=TEXT name=username> <INPUT TYPE=PASSWORD name=password> <INPUT TYPE=SUBMIT> </FORM>