Information Disclosure
detect, understand, remediate
Information disclosure through verbose error messages, stack traces, server banners, and debug pages gives attackers valuable intelligence about your application's internals and attack surface.
No credit card required. Free plan available forever.
What is information disclosure via errors?
Information disclosure via errors occurs when an application reveals sensitive technical details in its error responses. Stack traces, database queries, file system paths, server versions, and internal configuration details can all leak through improperly handled error messages, giving attackers a detailed map of the application's internals.
While individual pieces of leaked information may seem harmless, attackers combine them to build a comprehensive picture of the technology stack, database schema, file structure, and internal logic. This reconnaissance significantly reduces the effort required to find and exploit other vulnerabilities.
Error-based information disclosure is particularly dangerous because it is often overlooked during development. Verbose error messages that are helpful during debugging become a liability in production, yet many applications are deployed without switching to production-appropriate error handling.
How it works
Trigger an error
The attacker sends malformed input, requests non-existent resources, or manipulates parameters to cause the application to throw an error.
Verbose error returned
Instead of a generic error page, the application returns a detailed stack trace, SQL query, file path, or server configuration details.
Information gathered
The attacker collects technology versions, database structure, internal file paths, API endpoints, and framework-specific details from the error output.
Targeted attack crafted
Using the gathered intelligence, the attacker crafts precise exploits targeting known vulnerabilities in the disclosed technology stack.
Common causes
Debug mode in production
Applications deployed with debug mode enabled display full stack traces, variable values, and framework internals in error responses.
Verbose error handlers
Custom error handlers that catch exceptions and return the full error message and stack trace to the client instead of logging them server-side.
Server version headers
Web servers and application frameworks expose version information through Server, X-Powered-By, and X-AspNet-Version response headers.
Unhandled exceptions
Missing try-catch blocks allow framework default error pages to render, exposing detailed technical information about the failure.
How to detect it
Automated detection
- SecPortal's scanner sends malformed requests and analyses error responses for stack traces, SQL fragments, and file paths
- Response header analysis flags Server, X-Powered-By, and other headers that disclose technology versions
- Code scanning identifies verbose error handling patterns, debug flags, and missing production error configurations
Manual testing
- Submit invalid input to forms, APIs, and URL parameters and inspect the error responses for technical details
- Request non-existent pages and resources to trigger 404 handlers and check for information leaks
- Review HTTP response headers for server identification, framework version, and technology disclosure
How to fix it
Use generic error pages in production
Return user-friendly error messages that do not reveal technical details. Log the full error server-side for debugging purposes.
Disable debug mode in production
Ensure all debug flags, development modes, and verbose logging are disabled before deploying to production environments.
Remove server version headers
Configure your web server to suppress Server, X-Powered-By, X-AspNet-Version, and similar headers that reveal technology details.
Implement centralised error handling
Use a global error handler that catches all exceptions, logs them securely, and returns a consistent generic response to clients.
Configure security headers
Set X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy headers to reduce the risk of information leakage through browser behaviour.
Compliance impact
Related vulnerabilities
Detect information leakage
SecPortal checks for server version disclosure, debug pages, Git config exposure, and verbose errors. Start free.
No credit card required. Free plan available forever.