[WEB SECURITY] Debug symbol in Jave Code

Gautam itsecanalyst at gmail.com
Thu May 5 14:42:29 EDT 2011


Thanks everyone for your time and pointers.

Gautam

On Wed, May 4, 2011 at 3:17 PM, Henri Salo <henri at nerv.fi> wrote:

> On Wed, May 04, 2011 at 01:34:14PM -0700, Gautam wrote:
> > Hi MustLive (Don't know your real name, apologies)
> >
> > So while i am happy i was correct (after reading your mail below)  and
> have
> > mentioned that we should not have '-g' debug 'ON' in production build.
> >
> > Now a response to that was 'hey we are just writing web services and they
> > don't put anything on the webpages and if no stack traces are seen we
> don't
> > see any security issue here".
> >
> > What are your thoughts on this.
> >
> > Adding WASC mailing list, in case it goes this time.
> >
> > Thanks,
> > Gautam
>
>     * HELLO EVERY*
>
> Security wise it is be wise to not to have functionality. Thus not Abuse of
> Functionality issues! I like to warn everybody of HTTP 200 code to not allow
> everyone in sites on every platform and to not allow InFoRmaTion LeaKage!!
>
> Best debug messages & advisory overload,
> Wanabe MusntLive
> Administrator of Pure Logic
> ps. whem do we get end to this MustLive bullshit?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110505/eb3258b7/attachment-0003.html>


More information about the websecurity mailing list