Stack traces reveal technical information

Stack traces reveal technical information

Risk: medium

Description

When the server application receives unexpected input, an error is triggered returning technical information about the application internals.

An attacker can use this information to understand how the application is handling inputs. It becomes possible to investigate the inner workings and formulate further attack strategies. Information leakage should be suppressed to discourage attackers and prevent access to potential critical information.

Recommendation

A custom exception page should be returned that does not include technical information. The exception should be logged server side but not visible to a user. The stack trace should never be included within the page's HTML source even if client side source code viewing has been disabled as it is still possible to recover this information though other mechanisms.

Links

• CWE-209: Information Exposure Through an Error Message
• OWASP Error Handling, Auditing and Logging

Standards

• OWASP_MASVS_L1:
  • MSTG_CODE_6
• OWASP_MASVS_L2:
  • MSTG_CODE_6
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_11_3