Security Test: Stacktrace¶

Description¶

Default Severity:

The issue here is that detailed error messages or stacktraces can reveal information about your database or code dependencies. When you return clear technical error information in a response, attackers might use that information to identify the specific technologies you're using, making it easier for them to target known vulnerabilities in those systems. Developers often fall into the trap of sending raw error messages to users because it seems convenient for debugging during development. However, if such messages make it into production, they provide a roadmap for an attacker. It's important to sanitize or hide these detailed errors and only log them internally so that you protect your application's inner workings from potential exploitation.

Reference:

https://infosecwriteups.com/exploiting-error-based-sql-injections-bypassing-restrictions-ed099623cd94

Configuration¶

Identifier: information_disclosure/stacktrace

Examples¶

All configuration available:

checks:
  information_disclosure/stacktrace:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API7:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.5.5`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`SI-10`
CWE	`209`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C`
CVSS Score	`5.1`