44 lines
1.1 KiB
Plaintext
44 lines
1.1 KiB
Plaintext
== Why is this an issue?
|
|
|
|
The debugger statement can be placed anywhere in procedures to suspend execution. Using the debugger statement is similar to setting a breakpoint in the code. By definition such statement must absolutely be removed from the source code to prevent any unexpected behavior or added vulnerability to attacks in production.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,javascript]
|
|
----
|
|
for (i = 1; i<5; i++) {
|
|
// Print i to the Output window.
|
|
Debug.write("loop index is " + i);
|
|
// Wait for user to resume.
|
|
debugger;
|
|
}
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,javascript]
|
|
----
|
|
for (i = 1; i<5; i++) {
|
|
// Print i to the Output window.
|
|
Debug.write("loop index is " + i);
|
|
}
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
|
* https://cwe.mitre.org/data/definitions/489[MITRE, CWE-489] - Active Debug Code
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|