Error Handling / Stack Traces

Description

Stack Traces (CWE-209) is a type of error handling vulnerability that occurs in web and API applications. It is a type of software defect that exposes the internal state of an application when the application is running. This can allow an attacker to gain access to the application and its data by exploiting the exposed internal state.

Stack Traces are often identified through dynamic application security testing (DAST) or by manual review of the application code. OWASP's Testing Guide recommends that developers use logging frameworks that obfuscate stack traces, as well as limit the types of data that are logged.

Risk

The risk of a stack trace vulnerability is high, as it can allow an attacker to gain access to sensitive application data. Attackers can use the exposed internal state to identify potential attack vectors and vulnerabilities, and exploit them to gain access to the application and its data.

Solution

The best solution to prevent a stack trace vulnerability is to obfuscate stack traces when they are logged. This prevents an attacker from being able to view the internal state of the application and its data. Additionally, developers should limit the types of data that is logged to prevent sensitive data from being exposed.