Stack Trace Disclosure (Java)
Description
The application exposes Java stack traces to users when errors occur. Stack traces are detailed diagnostic messages that reveal internal application structure, including file paths, method names, line numbers, framework versions, and code execution flow. While useful for debugging, exposing this information to end users creates an information disclosure vulnerability that can aid attackers in reconnaissance and attack planning.
Remediation
Implement proper exception handling to prevent stack traces from being displayed to end users:
1. Configure custom error pages:
Define user-friendly error pages in your web.xml or application configuration that display generic error messages without technical details.
<error-page> <exception-type>java.lang.Exception</exception-type> <location>/error.jsp</location> </error-page>
2. Use try-catch blocks appropriately:
Catch exceptions at appropriate layers and log detailed information server-side while returning generic messages to users.
try {
// Application logic
} catch (Exception e) {
logger.error("Error processing request", e);
return "An error occurred. Please contact support.";
}3. Disable debug mode in production:
Ensure that development/debug modes are disabled in production environments to prevent verbose error output.
4. Implement centralized error handling:
Use framework-specific error handlers (e.g., Spring's @ControllerAdvice, servlet filters) to catch and handle exceptions globally across the application.