[WEB SECURITY] Debug symbol in Jave Code

Gautam itsecanalyst at gmail.com
Wed May 4 16:34:14 EDT 2011


Hi MustLive (Don't know your real name, apologies)

So while i am happy i was correct (after reading your mail below)  and have
mentioned that we should not have '-g' debug 'ON' in production build.

Now a response to that was 'hey we are just writing web services and they
don't put anything on the webpages and if no stack traces are seen we don't
see any security issue here".

What are your thoughts on this.

Adding WASC mailing list, in case it goes this time.

Thanks,
Gautam


On Wed, May 4, 2011 at 9:59 AM, MustLive <mustlive at websecurity.com.ua>wrote:

>  *Hello Gautam!*
>
> You've meant WASC Websecurity Mailing List?
>
> With no doubts you can write me directly :-), but taking into account that
> I'm busy man, so for faster answers it's better for you to send questions to
> mailing list, where many people will see them and will be able to answer
> you.
>
> > if it would be wise to (security wise) have jave code with DEBUG symbols
> ON in production.
>
> It's not wise for any programming language to show any debug information in
> production environment (like at web sites) - as in Java, as in other
> language. To not allow any information leakages which can occur within debug
> information.
>
> Concerning Java in particular, then I have some experience in it (including
> pentesting sites on JSP, so I saw many times Information Disclosures via
> error messages, so on server/webapp error messaging must be turned off),
> read a lot of sources, did decompilation of applets and even wrote "hello
> world" application :-). So I have different experience in Java, but still
> small especially in developing of Java applications, so except error
> messages in JSP web applications I've not seen other output of debug
> information. For this reason it's hard for me to tell you about specific
> disclosures in such webapps/apps and risks in every particular case, but in
> general it's better to turn debug messages off in production environment.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message -----
> *From:* Gautam <itsecanalyst at gmail.com>
> *To:* mustlive at websecurity.com.ua
> *Sent:* Sunday, May 01, 2011 7:05 AM
> *Subject:* Debug symbol in Jave Code
>
> Hi,
>
> I am not sure if i can write directly to you, however i am not able to post
> to websec forum and it bouncing me everytime.
>
> I was recently posed a question if it would be wise to (security wise) have
> jave code with DEBUG symbols ON in production. While I come from C/C++
> background and the only issue i could think was performance here. The
> product team deferred the performance point and the only thing to get this
> OK was if there are any security issues.
>
> One issue which i could imagine was if the stack traces come to screen by
> any chance then because of the DEBUG sysmbols it would show the exact
> stacktrace which would not be good thought.
>
> I wanted to know your thoughts on this or any pointer to read more on this.
>
>
>
> Appreciate your reply,
>
> Gautam
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110504/9052a724/attachment-0003.html>


More information about the websecurity mailing list