rspec/rules/S4507/xml/rule.adoc

Development tools and frameworks usually have options to make debugging easier for developers. Although these features are useful during development, they should never be enabled for applications deployed in production.

Activating a development feature in production can have an important range of consequences depending on its use:

* Technical information leak; generally by disclosing verbose logging information to the application's user.
* Arbitrary code execution; generally with a parameter that will allow the remote debugging or profiling of the application.

In all cases, the attack surface of an affected application is increased. In some cases, such features can also make the exploitation of other unrelated vulnerabilities easier.

== Ask Yourself Whether

* The development of the app is completed and the development feature is activated.
* The app is distributed to end users with the development feature activated

There is a risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

Applications should be released without any development feature activated. When such features are required when in
the development process of the application, they should only apply to a build variant that is dedicated to 
development environments. That variant should not be set as the default build configuration to prevent any unattended development feature exposition.

== Sensitive Code Example

In ``++AndroidManifest.xml++`` the android debuggable property is set to ``++true++``. The application will therefore be debuggable.

[source,xml]
----
<application
  android:icon="@mipmap/ic_launcher"
  android:label="@string/app_name"
  android:roundIcon="@mipmap/ic_launcher_round"
  android:supportsRtl="true"
  android:debuggable="true"
  android:theme="@style/AppTheme">
</application>  <!-- Sensitive --> 
----

In a `web.config` file, the `customErrors` element's `mode` attribute is set to `Off`. The application will disclose unnecessarily verbose information to its users upon error.

[source,xml]
----
<configuration>
  <system.web>
    <customErrors mode="Off" /> <!-- Sensitive -->
  </system.web>
</configuration>
----

== Compliant Solution

In ``++AndroidManifest.xml++`` the android debuggable property is set to ``++false++``:

[source,xml]
----
<application
  android:icon="@mipmap/ic_launcher"
  android:label="@string/app_name"
  android:roundIcon="@mipmap/ic_launcher_round"
  android:supportsRtl="true"
  android:debuggable="false"
  android:theme="@style/AppTheme">
</application> <!-- Compliant --> 
----

In a `web.config` file, the `customErrors` element's `mode` attribute is set to `On`:

[source,xml]
----
<configuration>
  <system.web>
    <customErrors mode="On" /> <!-- Compliant -->
  </system.web>
</configuration>
----

== See

* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
* https://mobile-security.gitbook.io/masvs/security-requirements/0x12-v7-code_quality_and_build_setting_requirements[Mobile AppSec Verification Standard] - Code Quality and Build Setting Requirements
* https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[OWASP Mobile Top 10 2016 Category M10] - Extraneous Functionality
* https://cwe.mitre.org/data/definitions/215[MITRE, CWE-215] - Information Exposure Through Debug Information
* https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release
* https://learn.microsoft.com/en-us/aspnet/web-forms/overview/getting-started/getting-started-with-aspnet-45-web-forms/aspnet-error-handling[learn.microsoft.com] - ASP.NET Error Handling

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
Create rule S4507: add Docker support (APPSEC-441) (#1542) 2023-02-07 15:04:20 +01:00			`Development tools and frameworks usually have options to make debugging easier for developers. Although these features are useful during development, they should never be enabled for applications deployed in production.`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
Modify rule S4507: Adding support for web.config error handling parameters (XML)(APPSEC-700) (#1938) 2023-07-04 18:38:07 +02:00			`Activating a development feature in production can have an important range of consequences depending on its use:`
Force linebreaks 2021-02-02 15:02:10 +01:00
Modify rule S4507: Adding support for web.config error handling parameters (XML)(APPSEC-700) (#1938) 2023-07-04 18:38:07 +02:00			`* Technical information leak; generally by disclosing verbose logging information to the application's user.`
			`* Arbitrary code execution; generally with a parameter that will allow the remote debugging or profiling of the application.`
Create rule S4507: add Docker support (APPSEC-441) (#1542) 2023-02-07 15:04:20 +01:00
Modify rule S4507: Adding support for web.config error handling parameters (XML)(APPSEC-700) (#1938) 2023-07-04 18:38:07 +02:00			`In all cases, the attack surface of an affected application is increased. In some cases, such features can also make the exploitation of other unrelated vulnerabilities easier.`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
			`== Ask Yourself Whether`

Modify rule S4507: Adding support for web.config error handling parameters (XML)(APPSEC-700) (#1938) 2023-07-04 18:38:07 +02:00			`* The development of the app is completed and the development feature is activated.`
Fix broken or dangerous backquotes Co-authored-by: Marco Borgeaud <89914223+marco-antognini-sonarsource@users.noreply.github.com> 2023-10-30 10:33:56 +01:00			`* The app is distributed to end users with the development feature activated`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
Create rule S4507: add Docker support (APPSEC-441) (#1542) 2023-02-07 15:04:20 +01:00			`There is a risk if you answered yes to any of those questions.`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
			`== Recommended Secure Coding Practices`

Modify rule S4507: Adding support for web.config error handling parameters (XML)(APPSEC-700) (#1938) 2023-07-04 18:38:07 +02:00			`Applications should be released without any development feature activated. When such features are required when in`
			`the development process of the application, they should only apply to a build variant that is dedicated to`
			`development environments. That variant should not be set as the default build configuration to prevent any unattended development feature exposition.`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
			`== Sensitive Code Example`

Modify rule S4507: Adding support for web.config error handling parameters (XML)(APPSEC-700) (#1938) 2023-07-04 18:38:07 +02:00			In ``++AndroidManifest.xml++`` the android debuggable property is set to ``++true++``. The application will therefore be debuggable.
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Modify multiple rules: Clean up texts of MMF-2503 (#1497) 2023-01-09 15:29:41 +01:00			`[source,xml]`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`<application`
			`android:icon="@mipmap/ic_launcher"`
			`android:label="@string/app_name"`
			`android:roundIcon="@mipmap/ic_launcher_round"`
			`android:supportsRtl="true"`
			`android:debuggable="true"`
			`android:theme="@style/AppTheme">`
			`</application> <!-- Sensitive -->`
			`----`

Modify rule S4507: Adding support for web.config error handling parameters (XML)(APPSEC-700) (#1938) 2023-07-04 18:38:07 +02:00			In a `web.config` file, the `customErrors` element's `mode` attribute is set to `Off`. The application will disclose unnecessarily verbose information to its users upon error.

			`[source,xml]`
			`----`
			`<configuration>`
			`<system.web>`
			`<customErrors mode="Off" /> <!-- Sensitive -->`
			`</system.web>`
			`</configuration>`
			`----`

Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`== Compliant Solution`

update; grammar fixes 2021-02-11 16:56:46 +01:00			In ``++AndroidManifest.xml++`` the android debuggable property is set to ``++false++``:

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,xml]`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`<application`
			`android:icon="@mipmap/ic_launcher"`
			`android:label="@string/app_name"`
			`android:roundIcon="@mipmap/ic_launcher_round"`
			`android:supportsRtl="true"`
			`android:debuggable="false"`
			`android:theme="@style/AppTheme">`
			`</application> <!-- Compliant -->`
			`----`

Modify rule S4507: Adding support for web.config error handling parameters (XML)(APPSEC-700) (#1938) 2023-07-04 18:38:07 +02:00			In a `web.config` file, the `customErrors` element's `mode` attribute is set to `On`:

			`[source,xml]`
			`----`
			`<configuration>`
			`<system.web>`
			`<customErrors mode="On" /> <!-- Compliant -->`
			`</system.web>`
			`</configuration>`
			`----`

Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`== See`

RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration`
add mobile security standards, links and tags to mobile rules and add new CWEv4.4 entries (#112) 2021-06-10 10:04:10 +02:00			`* https://mobile-security.gitbook.io/masvs/security-requirements/0x12-v7-code_quality_and_build_setting_requirements[Mobile AppSec Verification Standard] - Code Quality and Build Setting Requirements`
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality[OWASP Mobile Top 10 2016 Category M10] - Extraneous Functionality`
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) * Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files 2022-04-07 08:53:59 -05:00			`* https://cwe.mitre.org/data/definitions/215[MITRE, CWE-215] - Information Exposure Through Debug Information`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* https://developer.android.com/studio/publish/preparing[developer.android.com] - Prepare for release`
Modify rule S4507: Adding support for web.config error handling parameters (XML)(APPSEC-700) (#1938) 2023-07-04 18:38:07 +02:00			`* https://learn.microsoft.com/en-us/aspnet/web-forms/overview/getting-started/getting-started-with-aspnet-45-web-forms/aspnet-error-handling[learn.microsoft.com] - ASP.NET Error Handling`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`