077 – Avoid disclosing technical information

Summary

The application must not disclose internal system information such as stack traces, SQL sentence fragments, database names or table names.

Description

Applications should fail safely whenever an unexpected event occurs. Error message presentation is part of this safe management. Therefore, specific technical information should not be presented to unauthorized users, as this could be leveraged by attackers to further exploit other vulnerabilities.

Supported In

Essential: True

Advanced: True

References

• CAPEC-116. Excavation
• CAPEC-224. Fingerprinting
• CWE-209. Generation of error message containing sensitive information
• CWE-210. Self-generated error message containing sensitive information
• AGILE-9. Continuous attention to technical excellence and good design
• PADSS-5_2_5. Improper error handling
• CMMC-AT_L2-3_2_1. Role-based risk awareness
• CMMC-SC_L2-3_13_8. Data in transit
• HITRUST-07_b. Ownership of assets
• HITRUST-09_m. Network controls
• HITRUST-09_ab. Monitoring system use
• ISO27002-8_8. Management of technical vulnerabilities
• ISO27002-8_26. Application security requirements
• WASSEC-6_2_5_2. Information disclosure - Information leakage
• ISSAF-T_6_6. Web application assessment - Identifying web server vendor and version (by error)
• ISSAF-T_16_1. Web application assessment - Input validation (validate data)
• ISSAF-T_16_3. Web application assessment - Input Validation (PHP insertion)
• PTES-4_2_1_5. Business asset analysis - Organizational data (technical information)
• PTES-5_2_3_1. Vulnerability analysis - Web application scanners (application flaw scanners)
• OWASPSCP-3. Authentication and password management
• OWASPSCP-7. Error handling and logging
• BSAFSS-EE_1-3. Error and exception handling capabilities
• ASVS-13_4_1. GraphQL
• ASVS-14_3_3. Unintended security disclosure
• PCI-1_4_5. Do not disclosure of internal IP addresses and routing information
• ISO27001-8_8. Management of technical vulnerabilities
• ISO27001-8_26. Application security requirements
• OWASPLLM-LLM02:2025. Sensitive Information Disclosure
• OWASPLLM-LLM07:2025. System Prompt Leakage
• OWASPLLM-LLM08:2025. Vector and Embedding Weaknesses
• OWASPLLM-LLM10:2025. Unbounded Consumption

Weaknesses

• 183 – Debugging enabled in production
• 232 – Technical information leak - Angular
• 234 – Technical information leak - Stacktrace
• 235 – Technical information leak - Headers
• 236 – Technical information leak - SourceMap
• 237 – Technical information leak - Print Functions
• 238 – Technical information leak - API
• 239 – Technical information leak - Errors
• 289 – Technical information leak - Logs
• 290 – Technical information leak - IPs
• 342 – Technical information leak - Alert
• 349 – Technical information leak - Credentials
• 362 – Technical information leak - Content response
• 037 – Technical information leak
• 058 – Debugging enabled in production - APK
• 066 – Technical information leak - Console functions

Last updated

2025/06/17