Server Error
- CWE 550
- WASC 13
Server Error exposure occurs when web applications reveal detailed error messages or stack traces to end users. These messages often include internal system information such as file paths, database queries, configuration details, or framework versions. Attackers can leverage this information to identify vulnerabilities, design targeted attacks, or exploit misconfigurations. Such exposures typically result from improper error handling, lack of generic error pages, or verbose debug settings enabled in production environments.
Common patterns leading to server error disclosure:
- Default error pages from frameworks or servers revealing stack traces or internal paths.
- Application exceptions displayed directly to users without sanitization.
- Debugging or verbose logging enabled in production environments.
- Lack of global error handling mechanisms to catch unhandled exceptions.
Impacts:
- Information Disclosure: Reveals sensitive information about server configuration, application structure, or database schema.
- Facilitates Targeted Attacks: Attackers can use disclosed information to craft exploits such as SQL Injection, RCE, or path traversal.
- Increased Attack Surface: Knowledge of frameworks, libraries, or internal components aids exploitation.
- Compliance Violations: Revealing sensitive system details may breach PCI DSS, GDPR, or other regulatory requirements.
Detection indicators:
- HTTP responses containing stack traces, database errors, or detailed exception messages.
- Application returning different error messages based on input, indicating internal logic exposure.
- Security scanners detecting verbose error outputs.
Remediation
Mitigation focuses on proper error handling, logging, and information masking:
Implement Generic Error Pages
Display user-friendly messages without revealing internal details.Log Detailed Errors Securely
Store detailed error information in server logs accessible only to authorized personnel.Disable Debugging in Production
Ensure verbose debug or exception output is not enabled in live environments.Sanitize Exception Handling
Catch unhandled exceptions and prevent sensitive information from being sent to clients.Monitor and Audit Logs
Regularly review server logs for recurring errors and potential security issues.Security Testing
Include tests for error message disclosure and input-triggered exceptions during penetration tests.Educate Developers
Train developers to follow secure error handling practices and avoid exposing sensitive information.
Search Vulnerability
You may also see
- Internal Server Error
- Long Redirect Response
- Error Message
- Stack Trace
- Internal Path
- Not Secure Cookie
- Not Http-Only Cookie
- Sensitive Data in Query String
- Sensitive Data over HTTP
- Server Error
- Source Code Disclosure
- Information Leakage
- Web Backdoor
- Database Connection String
- Autocomplete Enabled
- Undefined Content-Type Header
- Missing X-Frame-Options Header
- File Upload Input Detected
- Mixed Content
- Insecure iFrame
- XPath Injection
- Basic Authentication over HTTP
- Forbidden Resource
- Multiple Choices Enabled
- Apache MultiViews Enabled
- GraphQL Endpoint Detected