Enterprises may rely on end-users or developers to assist in tracking and resolving issues with services provided by the enterprises. However, this may create a problem when detailed information is displayed to the end user. In fact, it is common for hackers to use debug information to break the security of a system. Thus, by providing this type of control to the end-users, the enterprises may expose their systems to security risks.
From a business perspective, there may be periods of time where an increased level of tracking is required as result of: a business concern, troubleshooting a system issue, behavior pattern deviances, and/or other potential security risks. There are several problems created when web services need to provide more debug and monitoring information. If an administrator turns on advanced debugging or monitoring for the system, then too much data may be generated, which can cause the enterprise service to appear unresponsive or broken. Additionally, the amount of information generated may result in storage problems; or create a security vulnerability by exposing sensitive information.
So, an administrator may want to vary end-user monitoring based on the security risk of individuals or the administrator may want to allow end users to influence how much debugging or monitoring is done on their accounts. This is typically achieved by placing a cookie on the browser that turns on “debug” or “monitoring” to a specific level. The cookie can be set automatically, or set by the end user that selects an option to enable debugging. The problem is that there is often no security on the cookie set. Basically, any user can set any cookie on any browser once he/she has seen the cookie, which means a hacker can set the same cookie thereby enabling debug, which may disclose information about the system that can be used to break in that system (creating a security hole). It is also well known that the set of values of a cookie used for enabling debugging capabilities is commonly posted on hacker web sites.
Another common problem with uncontrolled or unsecure debugging and monitoring is that the browser view, which is viewed by an end user comes from many web services; some of which may not be owned or operated by the end user's company. A simple cookie that is used to enable advanced debug information does not have enough data or security for an external web service to trust the request and send advanced debug or monitoring data.