Excessively detailed error messages disclosed to end users may reveal sensitive information or enable secondary attacks. For example, a login or registration endpoint that explicitly states “invalid username” allows an adversary to enumerate valid accounts, while error stack traces can expose internal system details, database schemas, or configuration paths. Such disclosures reduce the effort required for brute-force attacks, privilege escalation, or targeted exploitation.
Remediation
Capture detailed technical error information in centralised logs (e.g., SIEM, log aggregator) that are accessible only to authorised administrators.
Generate a unique error identifier (ID) for each error and include it in the logs for traceability.
Return only generic error messages to the user, along with the error ID for support or troubleshooting.
Apply consistent error-handling policies across all application layers (API, frontend, backend).
Ensure that verbose error output is disabled in production environments (e.g., disable debug stack traces).
Metadata
Severity: low
Slug: information-disclosure-via-error-message
CWEs
209: Generation of Error Message Containing Sensitive Information
204: Observable Response Discrepancy
210: Self-generated Error Message Containing Sensitive Information
200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP
A04:2021: Insecure Design
A05:2021: Security Misconfiguration
A09:2021: Security Logging and Monitoring Failures
Available Labs
Select a language to explore available labs for this vulnerability.
Want to skill-up in secure coding and AppSec?
Try SecDim Wargames to learn how to find, hack
and fix security vulnerabilities inspired by real-world incidents.
Join our secure coding and AppSec community.
A discussion board to share and
discuss all aspects of secure
programming, AppSec, DevSecOps,
fuzzing, cloudsec, AIsec
code review, and more.
