Home / Web Security / Error Message Disclosure
Medium Severity

🟡 Verbose Error Messages / Information Disclosure

CWECWE-209: Information Exposure Through Error Message
OWASPA01:2021 Broken Access Control

🧠 Description

Application reveals detailed error messages, stack traces, or debug information. Attackers use this to understand application internals, identify vulnerabilities, and craft targeted attacks.

Impact: Technology Stack Disclosure, Path Traversal, Database Info, Admin Paths

🎯 Attack Surface

  • Invalid input triggers errors
  • 404/500 error pages
  • Login failure messages
  • API endpoint errors

🔍 Detection

  • Inject special characters: ' " ; < > { }
  • Send malformed requests
  • Trigger SQL/XSS errors
  • Check stack traces for paths, versions

🛡️ Mitigation

✅ Disable detailed errors in production

✅ Use custom error pages

✅ Log errors server-side only

✅ Sanitize error messages
Back to Web Security