Stacktrace
Description
Details about database-level or code-level errors have been found in the response. This may cause information leaks, allowing attackers to identify the exact database or dependency you are using, and can therefore lead to highly targeted attacks against your application.
Example: sending getUser(id: null) returns { message: "SQL Error: Postgres 3.6 has encountered an error : Invalid ID."}.
Remediation
Always avoid database error codes or stack traces to be returned directly to the client. Catch all exception and return a specific error code and message.
If you are working in a development or staging environment, error disclosure might happen on purpose. In that case, check if this is also the case in production by:
- Using our cURL copy button to find the request that generated the stack trace.
- Changing URL and authentication tokens to match your production environment.
GraphQL Specific
Apollo
To address issues within the Apollo framework engine, ensure that all dependencies are up to date, follow best practices for error handling, and regularly audit your code for security vulnerabilities. Additionally, consider implementing proper logging to capture stack traces for debugging while avoiding exposure of sensitive information in production environments.
Yoga
To address issues within the Yoga framework engine, ensure that all dependencies are up-to-date, utilize proper error handling mechanisms, and adhere to the framework's best practices for security and performance. Regularly review the documentation and community resources for updates and patches that can help mitigate potential vulnerabilities or bugs.
Awsappsync
To mitigate issues within the AWS AppSync framework engine, ensure that you are handling errors gracefully and logging them appropriately. Implement structured error handling to capture stack traces and exceptions without exposing sensitive information to the client. Regularly review and update your security policies and IAM roles to adhere to the principle of least privilege. Monitor and analyze the logs to detect and respond to any abnormal behavior promptly. Additionally, keep the AWS AppSync service and all related dependencies up to date with the latest security patches and best practices.
Graphqlgo
To mitigate the risk of injection attacks in a GraphQL Go framework engine, ensure that all user-supplied input is properly validated and sanitized. Use prepared statements with variable binding for all database queries to prevent injection vulnerabilities. Additionally, implement proper error handling to avoid exposing sensitive stack trace information to the client. Regularly review and update your security practices to address new and emerging threats.
Graphqlruby
Ensure that the GraphQL Ruby framework is configured to sanitize and validate all inputs to prevent injection attacks. Use the built-in mechanisms for parameterized queries and argument validation to avoid potential security vulnerabilities. Regularly update the framework and its dependencies to incorporate the latest security patches and features.
Hasura
To mitigate the risk of SQL injection and ensure secure query handling within the Hasura framework, it is recommended to utilize prepared statements with parameterized queries. This practice prevents attackers from manipulating the SQL syntax by injecting malicious code. Always validate and sanitize user inputs, and employ Hasura's built-in mechanisms for role-based access control to restrict data access and operations based on user roles.
REST Specific
Asp_net
Implement custom error handling in the ASP.NET application to catch exceptions and log them internally, while displaying generic error messages to the user. Use the customErrors mode in the Web.config file to configure the error pages that should be shown in production, and avoid revealing sensitive error information. Additionally, review and sanitize all error messages to ensure they do not contain details that could help an attacker.
Ruby_on_rails
In Ruby on Rails, ensure that detailed error messages are not exposed to the end users. Instead, use generic error messages and log the detailed stack traces internally. Configure config.consider_all_requests_local to false in production to prevent full error reports from being rendered in the browser. Additionally, use rescue_from in controllers to catch exceptions and render custom error pages. Always sanitize user inputs and use Active Record's built-in parameterized query methods to prevent SQL injection.
Next_js
Implement custom error handling in your Next.js application to catch and log errors internally while displaying generic error messages to the users. Avoid sending stack traces or database error details in the response. Use the built-in error pages or create custom error components to provide a user-friendly experience without exposing sensitive information.
Laravel
In Laravel, ensure that error messages do not expose sensitive details by configuring the 'debug' mode to 'false' in the '.env' file for production environments. Utilize Laravel's built-in logging system to record errors without revealing them to the end user. Additionally, employ exception handling with try-catch blocks to catch and handle errors gracefully, providing generic error responses to the user. For database queries, use Eloquent ORM or the query builder's parameterized queries to prevent SQL injection and avoid detailed SQL error messages in responses.
Express_js
In Express.js, ensure that error handling middleware is configured to catch and sanitize error messages before they are sent to the client. Use a custom error handler that sends generic error responses to avoid leaking stack traces or database information. Additionally, employ logging libraries to record detailed errors internally without exposing them to the end user.
Django
In Django, ensure that DEBUG mode is set to False in production to prevent stack traces from being displayed to users. Use Django's built-in logging to record errors internally. Additionally, employ Django's exception handling to catch errors and return generic error messages to the client.
Symfony
In Symfony, ensure that error messages are generic and do not expose stack traces to the end user. Use the 'prod' environment for production, which does not display sensitive error details. Additionally, configure the 'monolog' bundle to log errors internally without exposing them to the client. For database interactions, utilize Doctrine's parameterized queries to prevent SQL injection and avoid detailed error messages that could reveal database structure or version information.
Spring_boot
In Spring Boot, ensure that detailed error messages are not exposed to the client. Configure a global exception handler using @ControllerAdvice and @ExceptionHandler annotations to catch exceptions and return a generic error response. Additionally, enable spring.mvc.log-resolved-exception to false to prevent stack traces from being logged automatically. For database errors, use parameterized queries or JPA methods to prevent SQL injection and avoid revealing database details in error messages.
Flask
In Flask, ensure that error handling is properly configured to prevent stack traces from being sent to the client. Use Flask's errorhandler or register_error_handler to define custom error responses that do not include sensitive information. Additionally, employ logging to record stack traces internally rather than exposing them to users.
Nuxt
In Nuxt.js applications, ensure that error handling is properly implemented to avoid exposing stack traces to the client. Use try-catch blocks to catch exceptions and log them internally, while providing generic error messages to the user. Additionally, configure the production environment to disable detailed error reporting. For API responses, consider using a centralized error handling mechanism that sanitizes error messages before sending them to the client.
Fastapi
In FastAPI, ensure that error handlers are configured to catch exceptions and return generic error messages. Avoid exposing stack traces or specific error details in production environments. Use logging to record detailed errors internally, and consider implementing security middleware to manage how errors are reported to clients.
Configuration
Identifier:
information_disclosure/stacktrace
Examples
Ignore this check
checks:
information_disclosure/stacktrace:
skip: true
Score
- Escape Severity: MEDIUM
Compliance
- OWASP: API7:2023
- pci: 6.5.5
- gdpr: Article-32
- soc2: CC1
- psd2: Article-95
- iso27001: A.14.2
- nist: SP800-53
- fedramp: SI-10
Classification
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
- CVSS_SCORE: 5.1