Description

This API exposes a debug endpoint in a production environment. Frameworks sometimes expose debugging features that are helpful during development. However, those features could be abused by attackers and should be disabled before being deployed to production.

Datadog’s supported framework ecosystem is continually evolving. The following list provides a sample:

• JAVA Spring Boot’s Actuators
• PHP Laravel’s Telescope
• PHP Symfony’s Profiler
• PHP Cakephp’s Debugkit

Rationale

This finding works by identifying an endpoint responding with 200 status codes to requests to known debugging endpoints. Debugging endpoints in production can lead to security breaches by exposing sensitive data and application internals.

Remediation

• Disable debug endpoints in production. The method varies based on the debugging tool being used; examples are provided for illustration purposes:

  • JAVA Actuators settings are set in the application.properties configuration file by specifying management.endpoints.web.exposure.include=[] (see the documentation for more information). Be aware that in certain configurations, these settings can monitor and access application metrics, so it is advisable to restrict access to these endpoints.

  • In PHP frameworks, it is common to install the package as a development dependency using the --dev flag to prevent the feature from being added in the production release. For example: composer require laravel/telescope --dev.