Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Bottle debug mode enabled

By kannthu

Informative
Vidoc logoVidoc Module
#bottle#exposure#debug
Description

What is the "Bottle debug mode enabled?" module?

The "Bottle debug mode enabled" module is designed to detect the presence of debug mode in applications built with the Bottle web framework. Bottle is a lightweight Python web framework that allows developers to build web applications quickly and easily. Debug mode is a feature in Bottle that provides detailed error messages and a debugger when an error occurs. This module focuses on identifying instances where debug mode is enabled, which can potentially expose sensitive information and pose security risks.

This module has an informative severity level, meaning it provides valuable information but does not indicate a vulnerability or misconfiguration.

Author: viondexd

Impact

Enabling debug mode in a production environment can have several implications:

- Exposes detailed error messages and stack traces to potential attackers - May reveal sensitive information, such as database credentials or API keys - Can lead to performance issues due to the additional overhead of the debugger

How does the module work?

The "Bottle debug mode enabled" module works by sending HTTP requests to the target application and analyzing the responses for specific patterns. It uses the following matching conditions:

- If the response body contains the phrase "Sorry, the requested URL" and " caused an error:", it indicates that an error has occurred. - If the response body contains either "'{{BaseURL}}'" or "'{{BaseURL}}/'", it suggests that the application is using the default debug mode configuration.

By detecting these patterns, the module can determine if debug mode is enabled in the Bottle application.

Example HTTP request:

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Note: This is just an example request and may vary depending on the target application.

Module preview

Concurrent Requests (0)
Passive global matcher
word: Sorry, the requested URL , caused an er...and
word: <tt>&#039;{{BaseURL}}&#039;</tt>, <tt>&#...
On match action
Report vulnerability