Stack Trace (Node.js)

  • CAPEC 214
  • WASC 14
  • PCI 3.2-6.5.5
  • OWASP 2013-A5

Stack traces are not vulnerabilities by themselves, but they often reveal information that is interesting to an attacker. Attackers attempt to generate these stack traces by tampering with the input to the web application with malformed HTTP requests and other input data.

If the application responds with stack traces that are not managed then it could reveal information useful to attackers. This information could then be used in further attacks. Providing debugging information as a result of operations that generate errors is considered a bad practice due to multiple reasons.

For example, it may contain information on internal workings of the application such as relative paths of the point where the application is installed or how objects are referenced internally.

Remediation

Configure your application not to provide detailed error pages in production environments.

References