Verbose Error Messages and Stack Traces

Overview

Applications often inadvertently leak information from the web server due to verbose error messages. These error messages and stack traces reveal useful backend information that is normally not available to the user, such as libraries in use, web framework type, server versions, expected data input type, etc. This is useful information in forming an attack on the application and or organization.

As an example I once found a Local File Inclusion vulnerability that I was attempting to exploit but unable to pull source code from the application due to not knowing the directory paths. Verbose error messages revealed the directories in use and I was able to use that information to form the correct LFI payloads to extract the source code of the application.

Example

This example from Appsecco's DVNA illustrates the vulnerability. When inputing invalid input, in this case XD , in the calculator page of the application http://127.0.0.1/app/calc it returns a verbose error message with stack traces revealing the web framework in use (Node) as well as the modules in use.

There are two issues that are creating this vulnerability. First the NodeJS application is running in Development mode. Change the environment variable to production NODE_ENV=production .

The source code that handles this functionality is /core/appHandler.js. The code checks if the HTTP request body has a value for the body parameters eqn, if so it renders the calculator and evaluates the math equation input (from the body parameter eqn).

module.exports.calc = function (req, res) {
	if (req.body.eqn) {
		res.render('app/calc', {
			output: mathjs.eval(req.body.eqn)
		})
	} else {
		res.render('app/calc', {
			output: 'Enter a valid math string like (3+3)*2'
		})
	}
}

The solution to this is to catch error messages using a try catch exception handling block. The try catch block starts on line 3 and catches errors on line 13.

module.exports.calc = function (req, res) {
	if(vh.vEqn(req.body.eqn)){
		try{
			if (req.body.eqn) {
				res.render('app/calc', {
					output: mathjs.eval(req.body.eqn)
				})
			} else {
				res.render('app/calc', {
					output: 'Enter a valid math string like (3+3)*2'
				})
			}
		}catch(err){
			res.render('app/calc', {
				output: 'Enter a valid math string like (3+3)*2'
			})				
		}		
	}else{
		res.render('app/calc', {
			output: 'Enter a valid math string like (3+3)*2'
		})
	}
}

For further reading:

Improper Error Handling | OWASP Foundationowasp.org

Error Handling - OWASP Cheat Sheet Seriescheatsheetseries.owasp.org

https://appsecco.com/books/dvna-developers-security-guide/solution/a6-securty-misconfig.htmlappsecco.com

Appsecco DVNA example used above