Skip to content

Stacktrace

Description

Details about database-level or code-level errors have been found in the response. This may cause information leaks, allowing attackers to identify the exact database or dependency you are using, and can therefore lead to highly targeted attacks against your application.

Example: sending getUser(id: null) returns { message: "SQL Error: Postgres 3.6 has encountered an error : Invalid ID."}.

Remediation

Always avoid database error codes or stack traces to be returned directly to the client. Catch all exception and return a specific error code and message.

If you are working in a development or staging environment, error disclosure might happen on purpose. In that case, check if this is also the case in production by:

  • Using our cURL copy button to find the request that generated the stack trace.
  • Changing URL and authentication tokens to match your production environment.

GraphQL Specific

Apollo To address issues within the Apollo framework engine, ensure that all dependencies are up to date, follow best practices for error handling, and regularly audit your code for security vulnerabilities. Additionally, consider implementing proper logging to capture stack traces for debugging while avoiding exposure of sensitive information in production environments.
Yoga To address issues within the Yoga framework engine, ensure that all dependencies are up-to-date, utilize proper error handling mechanisms, and adhere to the framework's best practices for security and performance. Regularly review the documentation and community resources for updates and patches that can help mitigate potential vulnerabilities or bugs.
Awsappsync To mitigate issues within the AWS AppSync framework engine, ensure that you are handling errors gracefully and logging them appropriately. Implement structured error handling to capture stack traces and exceptions without exposing sensitive information to the client. Regularly review and update your security policies and IAM roles to adhere to the principle of least privilege. Monitor and analyze the logs to detect and respond to any abnormal behavior promptly. Additionally, keep the AWS AppSync service and all related dependencies up to date with the latest security patches and best practices.
Graphqlgo To mitigate the risk of injection attacks in a GraphQL Go framework engine, ensure that all user-supplied input is properly validated and sanitized. Use prepared statements with variable binding for all database queries to prevent injection vulnerabilities. Additionally, implement proper error handling to avoid exposing sensitive stack trace information to the client. Regularly review and update your security practices to address new and emerging threats.
Graphqlruby Ensure that the GraphQL Ruby framework is configured to sanitize and validate all inputs to prevent injection attacks. Use the built-in mechanisms for parameterized queries and argument validation to avoid potential security vulnerabilities. Regularly update the framework and its dependencies to incorporate the latest security patches and features.
Hasura To mitigate the risk of SQL injection and ensure secure query handling within the Hasura framework, it is recommended to utilize prepared statements with parameterized queries. This practice prevents attackers from manipulating the SQL syntax by injecting malicious code. Always validate and sanitize user inputs, and employ Hasura's built-in mechanisms for role-based access control to restrict data access and operations based on user roles.
Agoo Implement custom error handling to sanitize error messages and avoid exposing stack traces or sensitive information in the response.
Ariadne Implement custom error handling in the Ariadne framework to sanitize error messages and avoid exposing stack traces or sensitive information in API responses.
Caliban Implement custom error handling middleware to sanitize error messages and avoid exposing stack traces or sensitive information in API responses.
Dgraph Implement error handling middleware to sanitize error messages and avoid exposing stack traces or sensitive information in responses.
Dianajl Implement a custom error handler in the DianaJL framework engine to sanitize error messages and prevent detailed stack traces from being exposed to end users.
Directus Configure error handling in Directus to use custom error messages and disable detailed stack traces in production environments to prevent information leakage.
Flutter Implement error handling to catch exceptions and display user-friendly error messages without exposing stack traces or sensitive information.
Graphene Implement custom error handling in the Graphene framework to ensure that stack traces and detailed error messages are not exposed to end users. Instead, return generic error messages and log the detailed errors securely for internal review.
Graphqlapiforwp Implement custom error handling middleware to sanitize error messages and avoid exposing stack traces or sensitive information in GraphQL responses.
Graphqlgophergo Implement custom error handling middleware to sanitize error messages and avoid exposing stack traces or sensitive information in GraphQL responses.
Graphqljava Implement custom error handling middleware to sanitize error messages and avoid exposing stack traces or sensitive information in GraphQL responses.
Graphqlphp Implement custom error handling middleware to sanitize error messages and avoid exposing stack traces or sensitive information in GraphQL responses.
Graphqlyoga Implement custom error handling middleware in GraphQL Yoga to sanitize error messages and avoid exposing sensitive information in stack traces.
Hypergraphql Implement custom error handling middleware to sanitize error messages and avoid exposing stack traces or sensitive information in API responses.
Jaal Implement custom error handling middleware in the Jaal framework to sanitize error messages and avoid exposing stack traces or sensitive information to the client.
Juniper Implement custom error handling middleware in the Juniper framework to sanitize error messages and avoid exposing stack traces or sensitive information in API responses.
Lacinia Implement custom error handling to sanitize error messages and avoid exposing stack traces or sensitive information in responses.
Lighthouse Implement custom error handling to prevent stack traces from being exposed in responses.
Mercurius Implement custom error handling in Mercurius to sanitize error messages and avoid exposing stack traces or sensitive information in API responses.
Morpheusgraphql Implement custom error handling middleware in Morpheus GraphQL to sanitize error messages and avoid exposing sensitive information about the database or server internals.
Qglgen Implement custom error handling middleware to sanitize error messages and avoid exposing stack traces or sensitive information in responses.
Sangria Implement custom error handling middleware to sanitize error messages and avoid exposing stack traces or sensitive information in responses.
Shopify Implement custom error handling middleware to sanitize error messages and avoid exposing stack traces or sensitive information in API responses.
Stepzen Implement custom error handling in StepZen to sanitize error messages and avoid exposing stack traces or sensitive information in API responses.
Strawberry Implement custom error handling middleware to sanitize error messages and avoid exposing stack traces or sensitive information in responses.
Tartiflette Implement custom error handling in Tartiflette to sanitize error messages and avoid exposing stack traces or sensitive information.
Wpgraphql Implement custom error handling in WPGraphQL to ensure that detailed error messages are not exposed to end-users. Instead, log the detailed errors on the server side and return generic error messages to the client.

REST Specific

Asp_net Implement custom error handling in the ASP.NET application to catch exceptions and log them internally, while displaying generic error messages to the user. Use the `customErrors` mode in the Web.config file to configure the error pages that should be shown in production, and avoid revealing sensitive error information. Additionally, review and sanitize all error messages to ensure they do not contain details that could help an attacker.
Ruby_on_rails In Ruby on Rails, ensure that detailed error messages are not exposed to the end users. Instead, use generic error messages and log the detailed stack traces internally. Configure `config.consider_all_requests_local` to `false` in production to prevent full error reports from being rendered in the browser. Additionally, use `rescue_from` in controllers to catch exceptions and render custom error pages. Always sanitize user inputs and use Active Record's built-in parameterized query methods to prevent SQL injection.
Next_js Implement custom error handling in your Next.js application to catch and log errors internally while displaying generic error messages to the users. Avoid sending stack traces or database error details in the response. Use the built-in error pages or create custom error components to provide a user-friendly experience without exposing sensitive information.
Laravel In Laravel, ensure that error messages do not expose sensitive details by configuring the 'debug' mode to 'false' in the '.env' file for production environments. Utilize Laravel's built-in logging system to record errors without revealing them to the end user. Additionally, employ exception handling with try-catch blocks to catch and handle errors gracefully, providing generic error responses to the user. For database queries, use Eloquent ORM or the query builder's parameterized queries to prevent SQL injection and avoid detailed SQL error messages in responses.
Express_js In Express.js, ensure that error handling middleware is configured to catch and sanitize error messages before they are sent to the client. Use a custom error handler that sends generic error responses to avoid leaking stack traces or database information. Additionally, employ logging libraries to record detailed errors internally without exposing them to the end user.
Django In Django, ensure that DEBUG mode is set to False in production to prevent stack traces from being displayed to users. Use Django's built-in logging to record errors internally. Additionally, employ Django's exception handling to catch errors and return generic error messages to the client.
Symfony In Symfony, ensure that error messages are generic and do not expose stack traces to the end user. Use the 'prod' environment for production, which does not display sensitive error details. Additionally, configure the 'monolog' bundle to log errors internally without exposing them to the client. For database interactions, utilize Doctrine's parameterized queries to prevent SQL injection and avoid detailed error messages that could reveal database structure or version information.
Spring_boot In Spring Boot, ensure that detailed error messages are not exposed to the client. Configure a global exception handler using `@ControllerAdvice` and `@ExceptionHandler` annotations to catch exceptions and return a generic error response. Additionally, enable `spring.mvc.log-resolved-exception` to `false` to prevent stack traces from being logged automatically. For database errors, use parameterized queries or JPA methods to prevent SQL injection and avoid revealing database details in error messages.
Flask In Flask, ensure that error handling is properly configured to prevent stack traces from being sent to the client. Use Flask's errorhandler or register_error_handler to define custom error responses that do not include sensitive information. Additionally, employ logging to record stack traces internally rather than exposing them to users.
Nuxt In Nuxt.js applications, ensure that error handling is properly implemented to avoid exposing stack traces to the client. Use try-catch blocks to catch exceptions and log them internally, while providing generic error messages to the user. Additionally, configure the production environment to disable detailed error reporting. For API responses, consider using a centralized error handling mechanism that sanitizes error messages before sending them to the client.
Fastapi In FastAPI, ensure that error handlers are configured to catch exceptions and return generic error messages. Avoid exposing stack traces or specific error details in production environments. Use logging to record detailed errors internally, and consider implementing security middleware to manage how errors are reported to clients.
Frappe Implement custom error handling to sanitize and abstract error messages, ensuring that stack traces and sensitive information are not exposed to the end user.
Genzio Implement custom error handling middleware in the Genzio framework to sanitize error messages and prevent stack traces from being exposed in responses.
Gin Implement custom error handling middleware in the Gin framework to sanitize error messages and avoid exposing sensitive information in responses.
Gorilla Implement custom error handling middleware in the Gorilla framework to sanitize error messages and prevent stack traces from being exposed in responses.
Hapi Implement centralized error handling in the Hapi framework to sanitize error messages and avoid exposing stack traces or sensitive information in responses.
Hono Implement custom error handling middleware to sanitize error messages and avoid exposing stack traces or sensitive information in responses.
Jersey Configure a custom error handler in the Jersey framework to prevent stack traces from being exposed in API responses.
Koa Implement a custom error handler in Koa to catch and sanitize error messages before sending them to the client, ensuring no sensitive information is exposed.
Ktor Configure exception handling to return generic error messages and log detailed stack traces securely.
Leptos Implement custom error handling in the Leptos framework to sanitize error messages and avoid exposing stack traces or sensitive information in responses.
Macaron Implement custom error handling middleware in the Macaron framework to sanitize error messages and avoid exposing stack traces or sensitive information in responses.
Phoenix Configure error handling in the Phoenix framework to use custom error messages and avoid exposing stack traces or database errors in responses.
Redwoodjs Implement a custom error handler in RedwoodJS to sanitize error messages and avoid exposing stack traces or sensitive information in API responses.
Rocket Implement custom error handling middleware in Rocket to sanitize error messages and avoid exposing stack traces or sensitive information in responses.
Sveltekit Implement custom error handling in SvelteKit to sanitize error messages and avoid exposing stack traces or sensitive information in production environments.

Configuration

Identifier: information_disclosure/stacktrace

Examples

Ignore this check

checks:
  information_disclosure/stacktrace:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API7:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.5
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: SI-10

Classification

  • CWE: 209

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1

References