Error messages
Description
This alert requires manual confirmation
The application displays detailed error or warning messages that may reveal sensitive technical information about the system's internal structure. These messages can include stack traces, file paths, database connection details, framework versions, or debugging information. When error messages are exposed to end users, they provide attackers with valuable reconnaissance data that can be used to identify vulnerabilities and plan targeted attacks.
Remediation
Configure the application to suppress detailed error messages in production environments and implement proper error logging instead:
1. Disable detailed error display:
For PHP applications, set the following in php.ini or .htaccess:
display_errors = Off log_errors = On error_log = /path/to/secure/error.log
For ASP.NET applications, configure web.config:
<system.web> <customErrors mode="On" defaultRedirect="~/Error.html" /> </system.web>
For Java applications, implement custom error pages in web.xml:
<error-page> <exception-type>java.lang.Exception</exception-type> <location>/error.jsp</location> </error-page>
2. Implement generic error pages:
Display user-friendly error messages that do not reveal technical details. Use generic messages like "An error occurred. Please contact support."
3. Log errors securely:
Configure comprehensive error logging to secure files or centralized logging systems that are only accessible to authorized personnel. Ensure logs include sufficient detail for debugging but are never exposed to end users.
4. Review and test:
Verify that error handling works correctly in production mode and that no stack traces, file paths, or technical details are visible to users during error conditions.