Active Debug Code Left in Production

Active debug code can create unintended entry points or expose sensitive information. The severity of the exposed debug code will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At worst, as is often the case, the debug code will allow an attacker complete control over the web application and server, as well as confidential information that either of these access.

Remediation

To remediate this vulnerability, all debug functionality, test hooks, and development backdoors should be removed or disabled before deployment to production environments. Secure build and release processes should ensure that debugging features are not included in production builds, and configuration reviews should verify that debug modes are disabled prior to distribution.

Metadata

Severity: high
Slug: active-debug-code-left-in-production

CWEs

489: Active Debug Code
1295: Debug Messages Revealing Unnecessary Information

OWASP

A05:2021: Security Misconfiguration

Available Labs

Open C labs in SecDim Play for this vulnerability.

easy

Debugged.c

C Easy Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.