Matok's PHP Blog
  1. Blog
  2. Security Sunday
  3. Aimed on security: Debug mode

Aimed on security: Debug mode

article image
Matej Kuna aka Maťok 16 June 2018
Tags: Security Sunday (70%) Symfony (30%)

Foreword

I decided to write article about why you should never allow debug mode on you site in production environment. Why I am writing about post about crystal clear thing like this? Because recently I saw Symfony web site with debug mode accessed to everyone simply opening default path https://example.co.uk/app_dev.php and I wished I was rather blind.

What attacked can get from debug mode?

All URL addresses

By opening non-existing URL you get full list of URL addresses. There can be addresses for testing purposes and/or forgotten ones maybe some old API calls. Of course this should not be in production... but be honest - who never make something quick and dirty?

Database structure

Examination of database structure is easy because all queries are logged. Except everyone see your table names and (if you are using doctrine1) all column names attacker cannot access to data. But database ins't something you want to expose if your project isn't open source... and everyone see how big amateur you are.

Getting sensitive information

Can attacker access to sensitive data? Well, it depends... let's try one example:

// src/Controller/PaymentController.php
class PaymentController extends Controller
{
    public function paymentAction(Request $request, $amount)
    {
        $accessCode = $this->getParameter('secret_bank_code');

        $payment = $this->get('blog.payment');
        $payment->sendMoney($amount, self::MATOK_ACCOUNT, $accessCode);

        return $this->render('Example::payment.html.twig');
    }
}
... and payment service code: 
// src/Payment/PaymentService.php
class Payment
{
    public function __construct(/*...arguments... */)
    {
        // ...
    }

    public function sendMoney($amount, $receiver, $accessCode)
    {
        if ($amount <= 0) {
            throw new \Exception('Amount is not valid!');
        }

        // ...
    }
}
What if requirements for $amount are not properly defined in routing? Anyone can pass anything and exception is raised. In production mode in can looks like this screenshot.

But in debug mode anyone can spot secret information. Well, this code is made in this way just for demonstration... but it's likely that visitor/attacker see something that should be confidential.

Conclusion

Debug mode is very dangerous. In no circumstances you reveal debug mode (doesn't matter what framework you are using) to public. How you hide it? It's your job. You can write me for help.


Footnotes:

1: by default Doctrine prints all column names

If you like this article then mark it as helpful to let others know it's worth to read. Otherwise leave me a feedback/comment and we can talk about it.

I'm foreigner. Where I live my friends call me Maťok.

Comments - Coming Soon

Newest articles


Tags

PHP DateTime Twig Clean Code Database Symfony Security Sunday Testing Blog Software Architect Composer Conference GameZone Haskell

Master your skills

What I know I learn from books. You can buy good literature here: Gorila - Slovak book shop