Skip to main content

Stacktrace

Description

Details about database-level or code-level errors have been found in the response. This may cause information leaks, allowing attackers to identify the exact database or dependency you are using, and can therefore lead to highly targeted attacks against your application.

Example: sending getUser(id: null) returns { message: "SQL Error: Postgres 3.6 has encountered an error : Invalid ID."}.

Remediation

Always avoid database error codes or stack traces to be returned directly to the client. Catch all exception and return a specific error code and message.

If you are working in a development or staging environment, error disclosure might happen on purpose. In that case, check if this is also the case in production by:

  • Using our cURL copy button to find the request that generated the stack trace.
  • Changing URL and authentication tokens to match your production environment.

GraphQL Specific

Apollo

Never allow database or code error stack traces to be returned directly to the client.

This remediation is supported by our GraphQL Armor middleware.

When using Apollo you can also set NODE_ENV to production or disable DEBUG mode:

const server = new ApolloServer({
  ...,
  debug: false
)}

If you are working in a development or staging environment, error disclosure might happen on purpose. In that case, check if this is also the case in production by:

  • Using our cURL copy button to find the request that generated the stack trace.
  • Changing URL and authentication tokens to match your production environment.
Graphqlyoga

This remediation is supported by our GraphQL Armor middleware.

When using Yoga you can also enable error masking to hide stack traces in production. Since it is enabled by default, you are probably missing the variable NODE_ENV=production in your production environment.

Hasura

Set the HASURA_GRAPHQL_DEV_MODE env variable to false in all user-facing environments.

Source: https://hasura.io/docs/latest/graphql/core/deployment/graphql-engine-flags/reference/

Note: if you are working in a development or staging environment, error disclosure might happen on purpose. In that case, make sure your production environment has HASURA_GRAPHQL_DEV_MODE set to false

Configuration

Identifier: information_disclosure/stacktrace

Examples

Ignore this check

{
    "checks": {
        "information_disclosure/stacktrace": {
            "skip": true
        }
    }
}

Score

  • Escape Severity: MEDIUM
    • OWASP: API7:2023
    • PCI DSS: 6.5.5
    • CWE
      • 200
      • 209
      • 210
      • 211
      • 212
      • 215
      • 248
      • 544
      • 550
      • 669
      • 644
      • 668
      • 703
      • 755
      • 1207
      • 1258
      • 1295
    • WASC: WASC-10

CVSS

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1

References