Avoid disclosing technical information
Summary
The application must not disclose internal system information such as stack traces, SQL sentence fragments, database names or table names.
Description
Applications should fail safely whenever an unexpected event occurs. Error message presentation is part of this safe management. Therefore, specific technical information should not be presented to unauthorized users, as this could be leveraged by attackers to further exploit other vulnerabilities.
References
- CAPEC-116. Excavation
- CAPEC-224. Fingerprinting
- CWE-209. Generation of error message containing sensitive information
- CWE-210. Self-generated error message containing sensitive information
- AGILE-9. Continuous attention to technical excellence and good design
- PADSS-5_2_5. Improper error handling
- CMMC-AT_L2-3_2_1. Role-based risk awareness
- CMMC-SC_L2-3_13_8. Data in transit
- HITRUST-07_b. Ownership of assets
- HITRUST-09_m. Network controls
- HITRUST-09_ab. Monitoring system use
- ISO27002-8_8. Management of technical vulnerabilities
- ISO27002-8_26. Application security requirements
- WASSEC-6_2_5_2. Information disclosure - Information leakage
- ISSAF-T_6_6. Web application assessment - Identifying web server vendor and version (by error)
- ISSAF-T_16_1. Web application assessment - Input validation (validate data)
- ISSAF-T_16_3. Web application assessment - Input Validation (PHP insertion)
- PTES-4_2_1_5. Business asset analysis - Organizational data (technical information)
- PTES-5_2_3_1. Vulnerability analysis - Web application scanners (application flaw scanners)
- OWASPSCP-3. Authentication and password management
- OWASPSCP-7. Error handling and logging
- BSAFSS-EE_1-3. Error and exception handling capabilities
- ASVS-13_4_1. GraphQL
- ASVS-14_3_3. Unintended security disclosure
- PCI-1_4_5. Do not disclosure of internal IP addresses and routing information
- ISO27001-8_8. Management of technical vulnerabilities
- ISO27001-8_26. Application security requirements
- OWASPLLM-LLM02:2025. Sensitive Information Disclosure
- OWASPLLM-LLM07:2025. System Prompt Leakage
- OWASPLLM-LLM08:2025. Vector and Embedding Weaknesses
- OWASPLLM-LLM10:2025. Unbounded Consumption
Weaknesses
- 037. Technical information leak
- 058. Debugging enabled in production - APK
- 066. Technical information leak - Console functions
- 183. Debugging enabled in production
- 232. Technical information leak - Angular
- 234. Technical information leak - Stacktrace
- 235. Technical information leak - Headers
- 236. Technical information leak - SourceMap
- 237. Technical information leak - Print Functions
- 238. Technical information leak - API
- 239. Technical information leak - Errors
- 289. Technical information leak - Logs
- 290. Technical information leak - IPs
- 342. Technical information leak - Alert
- 349. Technical information leak - Credentials
- 362. Technical information leak - Content response
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan