G
Gautam
Wed, May 4, 2011 8:34 PM
Hi MustLive (Don't know your real name, apologies)
So while i am happy i was correct (after reading your mail below) and have
mentioned that we should not have '-g' debug 'ON' in production build.
Now a response to that was 'hey we are just writing web services and they
don't put anything on the webpages and if no stack traces are seen we don't
see any security issue here".
What are your thoughts on this.
Adding WASC mailing list, in case it goes this time.
Thanks,
Gautam
On Wed, May 4, 2011 at 9:59 AM, MustLive mustlive@websecurity.com.uawrote:
Hello Gautam!
You've meant WASC Websecurity Mailing List?
With no doubts you can write me directly :-), but taking into account that
I'm busy man, so for faster answers it's better for you to send questions to
mailing list, where many people will see them and will be able to answer
you.
if it would be wise to (security wise) have jave code with DEBUG symbols
ON in production.
It's not wise for any programming language to show any debug information in
production environment (like at web sites) - as in Java, as in other
language. To not allow any information leakages which can occur within debug
information.
Concerning Java in particular, then I have some experience in it (including
pentesting sites on JSP, so I saw many times Information Disclosures via
error messages, so on server/webapp error messaging must be turned off),
read a lot of sources, did decompilation of applets and even wrote "hello
world" application :-). So I have different experience in Java, but still
small especially in developing of Java applications, so except error
messages in JSP web applications I've not seen other output of debug
information. For this reason it's hard for me to tell you about specific
disclosures in such webapps/apps and risks in every particular case, but in
general it's better to turn debug messages off in production environment.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
From: Gautam itsecanalyst@gmail.com
To: mustlive@websecurity.com.ua
Sent: Sunday, May 01, 2011 7:05 AM
Subject: Debug symbol in Jave Code
Hi,
I am not sure if i can write directly to you, however i am not able to post
to websec forum and it bouncing me everytime.
I was recently posed a question if it would be wise to (security wise) have
jave code with DEBUG symbols ON in production. While I come from C/C++
background and the only issue i could think was performance here. The
product team deferred the performance point and the only thing to get this
OK was if there are any security issues.
One issue which i could imagine was if the stack traces come to screen by
any chance then because of the DEBUG sysmbols it would show the exact
stacktrace which would not be good thought.
I wanted to know your thoughts on this or any pointer to read more on this.
Appreciate your reply,
Gautam
Hi MustLive (Don't know your real name, apologies)
So while i am happy i was correct (after reading your mail below) and have
mentioned that we should not have '-g' debug 'ON' in production build.
Now a response to that was 'hey we are just writing web services and they
don't put anything on the webpages and if no stack traces are seen we don't
see any security issue here".
What are your thoughts on this.
Adding WASC mailing list, in case it goes this time.
Thanks,
Gautam
On Wed, May 4, 2011 at 9:59 AM, MustLive <mustlive@websecurity.com.ua>wrote:
> *Hello Gautam!*
>
> You've meant WASC Websecurity Mailing List?
>
> With no doubts you can write me directly :-), but taking into account that
> I'm busy man, so for faster answers it's better for you to send questions to
> mailing list, where many people will see them and will be able to answer
> you.
>
> > if it would be wise to (security wise) have jave code with DEBUG symbols
> ON in production.
>
> It's not wise for any programming language to show any debug information in
> production environment (like at web sites) - as in Java, as in other
> language. To not allow any information leakages which can occur within debug
> information.
>
> Concerning Java in particular, then I have some experience in it (including
> pentesting sites on JSP, so I saw many times Information Disclosures via
> error messages, so on server/webapp error messaging must be turned off),
> read a lot of sources, did decompilation of applets and even wrote "hello
> world" application :-). So I have different experience in Java, but still
> small especially in developing of Java applications, so except error
> messages in JSP web applications I've not seen other output of debug
> information. For this reason it's hard for me to tell you about specific
> disclosures in such webapps/apps and risks in every particular case, but in
> general it's better to turn debug messages off in production environment.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message -----
> *From:* Gautam <itsecanalyst@gmail.com>
> *To:* mustlive@websecurity.com.ua
> *Sent:* Sunday, May 01, 2011 7:05 AM
> *Subject:* Debug symbol in Jave Code
>
> Hi,
>
> I am not sure if i can write directly to you, however i am not able to post
> to websec forum and it bouncing me everytime.
>
> I was recently posed a question if it would be wise to (security wise) have
> jave code with DEBUG symbols ON in production. While I come from C/C++
> background and the only issue i could think was performance here. The
> product team deferred the performance point and the only thing to get this
> OK was if there are any security issues.
>
> One issue which i could imagine was if the stack traces come to screen by
> any chance then because of the DEBUG sysmbols it would show the exact
> stacktrace which would not be good thought.
>
> I wanted to know your thoughts on this or any pointer to read more on this.
>
>
>
> Appreciate your reply,
>
> Gautam
>
>
JH
Jeremiah Heller
Wed, May 4, 2011 10:06 PM
On May 4, 2011, at 1:34 PM, Gautam wrote:
Hi MustLive (Don't know your real name, apologies)
So while i am happy i was correct (after reading your mail below) and have mentioned that we should not have '-g' debug 'ON' in production build.
Now a response to that was 'hey we are just writing web services and they don't put anything on the webpages and if no stack traces are seen we don't see any security issue here".
Thanks,
Gautam
On Wed, May 4, 2011 at 9:59 AM, MustLive mustlive@websecurity.com.ua wrote:
Hello Gautam!
You've meant WASC Websecurity Mailing List?
With no doubts you can write me directly :-), but taking into account that I'm busy man, so for faster answers it's better for you to send questions to mailing list, where many people will see them and will be able to answer you.
if it would be wise to (security wise) have jave code with DEBUG symbols ON in production.
It's not wise for any programming language to show any debug information in production environment (like at web sites) - as in Java, as in other language. To not allow any information leakages which can occur within debug information.
Concerning Java in particular, then I have some experience in it (including pentesting sites on JSP, so I saw many times Information Disclosures via error messages, so on server/webapp error messaging must be turned off), read a lot of sources, did decompilation of applets and even wrote "hello world" application :-). So I have different experience in Java, but still small especially in developing of Java applications, so except error messages in JSP web applications I've not seen other output of debug information. For this reason it's hard for me to tell you about specific disclosures in such webapps/apps and risks in every particular case, but in general it's better to turn debug messages off in production environment.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
From: Gautam
To: mustlive@websecurity.com.ua
Sent: Sunday, May 01, 2011 7:05 AM
Subject: Debug symbol in Jave Code
Hi,
I am not sure if i can write directly to you, however i am not able to post to websec forum and it bouncing me everytime.
I was recently posed a question if it would be wise to (security wise) have jave code with DEBUG symbols ON in production. While I come from C/C++ background and the only issue i could think was performance here. The product team deferred the performance point and the only thing to get this OK was if there are any security issues.
One issue which i could imagine was if the stack traces come to screen by any chance then because of the DEBUG sysmbols it would show the exact stacktrace which would not be good thought.
I wanted to know your thoughts on this or any pointer to read more on this.
Appreciate your reply,
Gautam
On May 4, 2011, at 1:34 PM, Gautam wrote:
> Hi MustLive (Don't know your real name, apologies)
>
> So while i am happy i was correct (after reading your mail below) and have mentioned that we should not have '-g' debug 'ON' in production build.
>
> Now a response to that was 'hey we are just writing web services and they don't put anything on the webpages and if no stack traces are seen we don't see any security issue here".
Have you seen this OWASP page? Should provide criteria to gauge your case from.
https://www.owasp.org/index.php/Information_Leakage
> Thanks,
> Gautam
>
>
> On Wed, May 4, 2011 at 9:59 AM, MustLive <mustlive@websecurity.com.ua> wrote:
> Hello Gautam!
>
> You've meant WASC Websecurity Mailing List?
>
> With no doubts you can write me directly :-), but taking into account that I'm busy man, so for faster answers it's better for you to send questions to mailing list, where many people will see them and will be able to answer you.
>
> > if it would be wise to (security wise) have jave code with DEBUG symbols ON in production.
>
> It's not wise for any programming language to show any debug information in production environment (like at web sites) - as in Java, as in other language. To not allow any information leakages which can occur within debug information.
>
> Concerning Java in particular, then I have some experience in it (including pentesting sites on JSP, so I saw many times Information Disclosures via error messages, so on server/webapp error messaging must be turned off), read a lot of sources, did decompilation of applets and even wrote "hello world" application :-). So I have different experience in Java, but still small especially in developing of Java applications, so except error messages in JSP web applications I've not seen other output of debug information. For this reason it's hard for me to tell you about specific disclosures in such webapps/apps and risks in every particular case, but in general it's better to turn debug messages off in production environment.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
> ----- Original Message -----
> From: Gautam
> To: mustlive@websecurity.com.ua
> Sent: Sunday, May 01, 2011 7:05 AM
> Subject: Debug symbol in Jave Code
>
> Hi,
>
> I am not sure if i can write directly to you, however i am not able to post to websec forum and it bouncing me everytime.
>
> I was recently posed a question if it would be wise to (security wise) have jave code with DEBUG symbols ON in production. While I come from C/C++ background and the only issue i could think was performance here. The product team deferred the performance point and the only thing to get this OK was if there are any security issues.
>
> One issue which i could imagine was if the stack traces come to screen by any chance then because of the DEBUG sysmbols it would show the exact stacktrace which would not be good thought.
>
> I wanted to know your thoughts on this or any pointer to read more on this.
>
>
>
> Appreciate your reply,
>
> Gautam
HS
Henri Salo
Wed, May 4, 2011 10:17 PM
On Wed, May 04, 2011 at 01:34:14PM -0700, Gautam wrote:
Hi MustLive (Don't know your real name, apologies)
So while i am happy i was correct (after reading your mail below) and have
mentioned that we should not have '-g' debug 'ON' in production build.
Now a response to that was 'hey we are just writing web services and they
don't put anything on the webpages and if no stack traces are seen we don't
see any security issue here".
What are your thoughts on this.
Adding WASC mailing list, in case it goes this time.
Thanks,
Gautam
* HELLO EVERY*
Security wise it is be wise to not to have functionality. Thus not Abuse of Functionality issues! I like to warn everybody of HTTP 200 code to not allow everyone in sites on every platform and to not allow InFoRmaTion LeaKage!!
Best debug messages & advisory overload,
Wanabe MusntLive
Administrator of Pure Logic
ps. whem do we get end to this MustLive bullshit?
On Wed, May 04, 2011 at 01:34:14PM -0700, Gautam wrote:
> Hi MustLive (Don't know your real name, apologies)
>
> So while i am happy i was correct (after reading your mail below) and have
> mentioned that we should not have '-g' debug 'ON' in production build.
>
> Now a response to that was 'hey we are just writing web services and they
> don't put anything on the webpages and if no stack traces are seen we don't
> see any security issue here".
>
> What are your thoughts on this.
>
> Adding WASC mailing list, in case it goes this time.
>
> Thanks,
> Gautam
* HELLO EVERY*
Security wise it is be wise to not to have functionality. Thus not Abuse of Functionality issues! I like to warn everybody of HTTP 200 code to not allow everyone in sites on every platform and to not allow InFoRmaTion LeaKage!!
Best debug messages & advisory overload,
Wanabe MusntLive
Administrator of Pure Logic
ps. whem do we get end to this MustLive bullshit?
G
Gautam
Thu, May 5, 2011 6:42 PM
Thanks everyone for your time and pointers.
Gautam
On Wed, May 4, 2011 at 3:17 PM, Henri Salo henri@nerv.fi wrote:
On Wed, May 04, 2011 at 01:34:14PM -0700, Gautam wrote:
Hi MustLive (Don't know your real name, apologies)
So while i am happy i was correct (after reading your mail below) and
mentioned that we should not have '-g' debug 'ON' in production build.
Now a response to that was 'hey we are just writing web services and they
don't put anything on the webpages and if no stack traces are seen we
see any security issue here".
What are your thoughts on this.
Adding WASC mailing list, in case it goes this time.
Thanks,
Gautam
* HELLO EVERY*
Security wise it is be wise to not to have functionality. Thus not Abuse of
Functionality issues! I like to warn everybody of HTTP 200 code to not allow
everyone in sites on every platform and to not allow InFoRmaTion LeaKage!!
Best debug messages & advisory overload,
Wanabe MusntLive
Administrator of Pure Logic
ps. whem do we get end to this MustLive bullshit?
Thanks everyone for your time and pointers.
Gautam
On Wed, May 4, 2011 at 3:17 PM, Henri Salo <henri@nerv.fi> wrote:
> On Wed, May 04, 2011 at 01:34:14PM -0700, Gautam wrote:
> > Hi MustLive (Don't know your real name, apologies)
> >
> > So while i am happy i was correct (after reading your mail below) and
> have
> > mentioned that we should not have '-g' debug 'ON' in production build.
> >
> > Now a response to that was 'hey we are just writing web services and they
> > don't put anything on the webpages and if no stack traces are seen we
> don't
> > see any security issue here".
> >
> > What are your thoughts on this.
> >
> > Adding WASC mailing list, in case it goes this time.
> >
> > Thanks,
> > Gautam
>
> * HELLO EVERY*
>
> Security wise it is be wise to not to have functionality. Thus not Abuse of
> Functionality issues! I like to warn everybody of HTTP 200 code to not allow
> everyone in sites on every platform and to not allow InFoRmaTion LeaKage!!
>
> Best debug messages & advisory overload,
> Wanabe MusntLive
> Administrator of Pure Logic
> ps. whem do we get end to this MustLive bullshit?
>
