Information Exposure Through Error Messages
Information Exposure Through Error Messages
Overview
Detailed error messages can expose stack traces, paths, SQL statements, server versions, and internal identifiers.
Impact
Return a generic user-facing message and log detailed diagnostics only in a protected server-side log.
Countermeasures
Configure framework and WAS error pages so internal exception details are not shown to clients.
Examples
try {
....
} catch (Exception e) {
e.printStackTrace();
return e.getMessage();
}
try {
...
} catch (Exception e) {
System.out.println("ERROR1");
return "ERROR1";
}