Stack Trace (Node.js)
- CAPEC 214
- WASC 14
- PCI 3.2-6.5.5
- OWASP 2013-A5
Stack traces are not vulnerabilities by themselves, but they often reveal information that is interesting to an attacker. Attackers attempt to generate these stack traces by tampering with the input to the web application with malformed HTTP requests and other input data.
If the application responds with stack traces that are not managed then it could reveal information useful to attackers. This information could then be used in further attacks. Providing debugging information as a result of operations that generate errors is considered a bad practice due to multiple reasons.
For example, it may contain information on internal workings of the application such as relative paths of the point where the application is installed or how objects are referenced internally.
Remediation
Configure your application not to provide detailed error pages in production environments.
References
Search Vulnerability
You may also see
- Stack Trace (Java)
- Stack Trace (PHP)
- Stack Trace (Python)
- Stack Trace (ASP.NET)
- Stack Trace (Node.js)
- Long Redirect Response
- Error Message
- Stack Trace
- Internal Path
- Not Secure Cookie
- Not Http-Only Cookie
- Sensitive Data in Query String
- Sensitive Data over HTTP
- Server Error
- Source Code Disclosure
- Information Leakage
- Web Backdoor
- Database Connection String
- Autocomplete Enabled
- Undefined Content-Type Header
- Missing X-Frame-Options Header
- Mixed Content
- Insecure iFrame
- XPath Injection
- Basic Authentication over HTTP
- Forbidden Resource
- Multiple Choices Enabled
- Apache MultiViews Enabled