[WEB SECURITY] Debug symbol in Jave Code

Henri Salo henri at nerv.fi
Wed May 4 18:17:12 EDT 2011

On Wed, May 04, 2011 at 01:34:14PM -0700, Gautam wrote:
> Hi MustLive (Don't know your real name, apologies)
> So while i am happy i was correct (after reading your mail below)  and have
> mentioned that we should not have '-g' debug 'ON' in production build.
> Now a response to that was 'hey we are just writing web services and they
> don't put anything on the webpages and if no stack traces are seen we don't
> see any security issue here".
> What are your thoughts on this.
> Adding WASC mailing list, in case it goes this time.
> Thanks,
> Gautam


Security wise it is be wise to not to have functionality. Thus not Abuse of Functionality issues! I like to warn everybody of HTTP 200 code to not allow everyone in sites on every platform and to not allow InFoRmaTion LeaKage!! 

Best debug messages & advisory overload,
Wanabe MusntLive
Administrator of Pure Logic
ps. whem do we get end to this MustLive bullshit?

More information about the websecurity mailing list