CWE-489: Active Debug Code
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product is released with debugging code still enabled or active.
常见后果
影响范围: Confidentiality Integrity Availability Access Control Other
技术影响: Bypass Protection Mechanism Read Application Data Gain Privileges or Assume Identity Varies by Context
说明: Active debug code can create unintended entry points or expose sensitive information. The severity of the exposed debug code will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At worst, as is often the case, the debug code will allow an attacker complete control over the web application and server, as well as confidential information that either of these access.
潜在缓解措施
阶段: Build and Compilation Distribution
描述: Remove debug code before deploying the application.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | In web-based applications, debug code is used to test and modify web application properties, configuration information, and functions. If a debug application is left on a production server, this oversight during the "software process" allows attackers access to debug functionality. |
| Implementation | A common development practice is to add "back door" code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the product. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the product. |
| Build and Compilation | - |
| Operation | - |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | Leftover Debug Code | - |
| OWASP Top Ten 2004 | A10 | Insecure Configuration Management | CWE More Specific |
| Software Fault Patterns | SFP28 | Unexpected access points | - |