In DWR,
developers may accidentally leave debug mode enabled for a variety of reasons. First, if
they are following the DWR getting started guide (http://getahead.org/dwr/getstarted),
the default state of the configuration enables debug mode. Second, when a web
application using DWR is running, no visual clues are displayed in the application to
indicate that debug mode is currently enabled. Thus, it is easy for developers to forget
that debug mode is enabled. For developers and attackers alike, testing for enabled
debug mode is a simple matter. For example, if the target site is www.cybervillains
.com/samplewebapp/, then one can simply browse to www.cybervillains.com/
samplewebapp/dwr/. If debug mode is disabled, the attacker/developer will be shown
a page stating ???Access to debug pages is denied.??? However, if DWR debug mode is
enabled, the attacker/developer will be greeted with a page describing the classes of the
web application that are known to DWR. From here, one can browse through each class
and obtain a full list of methods exposed by that class.
Debug Mode
The countermeasure for debug mode is quite straightforward: disable debug mode in
production environments.
Pages:
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326