CWE-489 遗留的调试代码

Leftover Debug Code

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown


The application can be deployed with active debugging code that can create unintended entry points.


A common development practice is to add "back door" code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the application.


  • cwe_Nature: ChildOf cwe_CWE_ID: 710 cwe_View_ID: 1000 cwe_Ordinal: Primary


Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}


范围 影响 注释
['Confidentiality', 'Integrity', 'Availability', 'Access Control', 'Other'] ['Bypass Protection Mechanism', 'Read Application Data', 'Gain Privileges or Assume Identity', 'Varies by Context'] The severity of the exposed debug application will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At worst, as is often the case, the debug application will allow an attacker complete control over the web application and server, as well as confidential information that either of these access.


['Build and Compilation', 'Distribution']


Remove debug code before deploying the application.


Debug code can be used to bypass authentication. For example, suppose an application has a login script that receives a username and a password. Assume also that a third, optional, parameter, called "debug", is interpreted by the script as requesting a switch to debug mode, and that when this parameter is given the username and password are not checked. In such a case, it is very simple to bypass the authentication process if the special behavior of the application regarding the debug parameter is known. In a case where the form is:

bad HTML

<FORM ACTION="/authenticate_login.cgi">
<INPUT TYPE=TEXT name=username>
<INPUT TYPE=PASSWORD name=password>

Then a conforming link will look like:



An attacker can change this to:



Which will grant the attacker access to the site, bypassing the authentication process.



映射的分类名 ImNode ID Fit Mapped Node Name
7 Pernicious Kingdoms Leftover Debug Code
OWASP Top Ten 2004 A10 CWE More Specific Insecure Configuration Management
Software Fault Patterns SFP28 Unexpected access points


  • CAPEC-121