Information Disclosure: Stacktrace¶

Identifier: stacktrace

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

The issue here is that detailed error messages or stacktraces can reveal information about your database or code dependencies. When you return clear technical error information in a response, attackers might use that information to identify the specific technologies you're using, making it easier for them to target known vulnerabilities in those systems. Developers often fall into the trap of sending raw error messages to users because it seems convenient for debugging during development. However, if such messages make it into production, they provide a roadmap for an attacker. It's important to sanitize or hide these detailed errors and only log them internally so that you protect your application's inner workings from potential exploitation.

References:

https://infosecwriteups.com/exploiting-error-based-sql-injections-bypassing-restrictions-ed099623cd94

Configuration¶

Example¶

Example configuration:

---
security_tests:
  stacktrace:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.