Stack Trace Disclosure (GWT)
Description
The application exposes detailed stack traces from Google Web Toolkit (GWT) when errors occur. Stack traces are diagnostic messages that reveal the internal execution flow of an application when an exception is thrown. When these traces are displayed to end users, they can expose sensitive technical details including file system paths, framework versions, code structure, database connection information, and internal application logic that should remain confidential.
Remediation
Implement proper exception handling to prevent stack traces from being displayed to end users:
1. Configure custom error pages:
Set up generic error pages that display user-friendly messages without technical details. In your web.xml or application configuration, define custom error handlers.
2. Implement centralized exception handling:
Use try-catch blocks to handle exceptions gracefully and log detailed error information server-side only.
try {
// Application logic
} catch (Exception e) {
// Log full stack trace to secure server logs
logger.error("Error processing request", e);
// Return generic error message to user
return "An error occurred. Please contact support with reference ID: " + generateErrorId();
}
3. Configure GWT compilation mode:
Ensure GWT applications are compiled in production mode (obfuscated) rather than development mode, which reduces the verbosity of client-side error messages.
4. Review logging configuration:
Verify that detailed error logs are written to secure locations accessible only to authorized personnel, not to publicly accessible directories or client responses.
5. Disable debug mode:
Ensure all debugging features and verbose error reporting are disabled in production environments.