πŸš€ Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Information Disclosure via Error Message

Verbose Error Messages

Excessively detailed error messages disclosed to end users may reveal sensitive information or enable secondary attacks. For example, a login or registration endpoint that explicitly states β€œinvalid username” allows an adversary to enumerate valid accounts, while error stack traces can expose internal system details, database schemas, or configuration paths. Such disclosures reduce the effort required for brute-force attacks, privilege escalation, or targeted exploitation.

Remediation

  • Capture detailed technical error information in centralised logs (e.g., SIEM, log aggregator) that are accessible only to authorised administrators.
  • Generate a unique error identifier (ID) for each error and include it in the logs for traceability.
  • Return only generic error messages to the user, along with the error ID for support or troubleshooting.
  • Apply consistent error-handling policies across all application layers (API, frontend, backend).
  • Ensure that verbose error output is disabled in production environments (e.g., disable debug stack traces).

Metadata

  • Severity: low
  • Slug: information-disclosure-via-error-message

CWEs

  • 209: Generation of Error Message Containing Sensitive Information
  • 204: Observable Response Discrepancy
  • 210: Self-generated Error Message Containing Sensitive Information
  • 200: Exposure of Sensitive Information to an Unauthorized Actor

OWASP

  • A04:2021: Insecure Design
  • A05:2021: Security Misconfiguration
  • A09:2021: Security Logging and Monitoring Failures

Available Labs

Open Java labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing β€” fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.