[WEB SECURITY] Debug symbol in Jave Code

Jeremiah Heller jeremiah at inertialbit.net
Wed May 4 18:06:57 EDT 2011


On May 4, 2011, at 1:34 PM, Gautam wrote:

> Hi MustLive (Don't know your real name, apologies)
> 
> So while i am happy i was correct (after reading your mail below)  and have mentioned that we should not have '-g' debug 'ON' in production build.
> 
> Now a response to that was 'hey we are just writing web services and they don't put anything on the webpages and if no stack traces are seen we don't see any security issue here".

Have you seen this OWASP page? Should provide criteria to gauge your case from.

https://www.owasp.org/index.php/Information_Leakage

> Thanks,
> Gautam
> 
> 
> On Wed, May 4, 2011 at 9:59 AM, MustLive <mustlive at websecurity.com.ua> wrote:
> Hello Gautam!
>  
> You've meant WASC Websecurity Mailing List?
>  
> With no doubts you can write me directly :-), but taking into account that I'm busy man, so for faster answers it's better for you to send questions to mailing list, where many people will see them and will be able to answer you.
>  
> > if it would be wise to (security wise) have jave code with DEBUG symbols ON in production.
>  
> It's not wise for any programming language to show any debug information in production environment (like at web sites) - as in Java, as in other language. To not allow any information leakages which can occur within debug information.
>  
> Concerning Java in particular, then I have some experience in it (including pentesting sites on JSP, so I saw many times Information Disclosures via error messages, so on server/webapp error messaging must be turned off), read a lot of sources, did decompilation of applets and even wrote "hello world" application :-). So I have different experience in Java, but still small especially in developing of Java applications, so except error messages in JSP web applications I've not seen other output of debug information. For this reason it's hard for me to tell you about specific disclosures in such webapps/apps and risks in every particular case, but in general it's better to turn debug messages off in production environment.
>  
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
> ----- Original Message -----
> From: Gautam
> To: mustlive at websecurity.com.ua
> Sent: Sunday, May 01, 2011 7:05 AM
> Subject: Debug symbol in Jave Code
> 
> Hi,
> 
> I am not sure if i can write directly to you, however i am not able to post to websec forum and it bouncing me everytime.
> 
> I was recently posed a question if it would be wise to (security wise) have jave code with DEBUG symbols ON in production. While I come from C/C++ background and the only issue i could think was performance here. The product team deferred the performance point and the only thing to get this OK was if there are any security issues.
> 
> One issue which i could imagine was if the stack traces come to screen by any chance then because of the DEBUG sysmbols it would show the exact stacktrace which would not be good thought.
> 
> I wanted to know your thoughts on this or any pointer to read more on this.
> 
> 
> 
> Appreciate your reply,
> 
> Gautam




More information about the websecurity mailing list