Kingdom: Encapsulation
Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not.
ColdFusion Bad Practices: Leftover Debug Code
Abstract
The
<cfdump>
tag can leak sensitive information in a deployed web application.Explanation
It is common practice to output the values of variables for debugging or testing purposes with code that is not intended to be shipped or remain active in the deployed application. When this sort of debug code is accidentally left in the application, the application may provide information to an attacker in unintended ways. Not all debugging statements leak sensitive or private information. However, the presence of a debugging statement often indicates that the surrounding code has been neglected and may be in a state of disrepair.
The most common example of forgotten debug code in ColdFusion is the
The most common example of forgotten debug code in ColdFusion is the
<cfdump>
tag. Although use of <cfdump>
is a acceptable during product development, developers responsible for code that is part of a production web application should carefully consider whether any use of the <cfdump>
tag should be allowed.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 215
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[12] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[19] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.semantic.cfml.coldfusion_badpractices_leftover_debug_code