Skip to main content

Free 30-min security demo  — We'll scan your real code and show live findings, no commitment Book Now

Offensive360
Academy Verbose Error Messages
Beginner · 15 min

Verbose Error Messages

See how stack traces, SQL errors, and internal paths leak system information that attackers use to target exploits.

1 Information Leakage via Error Messages

Verbose error messages provide attackers with reconnaissance data that makes subsequent attacks more targeted and effective.

SQL error disclosure (PHP):

// Vulnerable: shows raw database error to users
$result = mysqli_query($conn, $sql);
if (!$result) {
    die("Query failed: " . mysqli_error($conn));
    // Shows: "You have an error in your SQL syntax; check the manual
    //         that corresponds to your MySQL 5.7.32 server version
    //         near 'admin' at line 1
    // Reveals: database type, version, table structure
}

Stack trace disclosure (Python/Flask):

@app.errorhandler(500)
def internal_error(e):
    return str(e), 500  # Exposes file paths, function names, line numbers
    # Example: "FileNotFoundError: [Errno 2] No such file or directory:
    #           /var/app/data/config/secrets.yaml
    # Reveals: exact file system structure!

What attackers learn from verbose errors:

  • Technology stack (database type, framework, language, versions)
  • File system structure and paths
  • Table names, column names, query structure
  • Internal IP addresses or hostnames

2 Generic Error Pages and Structured Logging

Show users generic error pages while logging full details to internal, secure logging infrastructure.

Generic error response (Express.js):

const winston = require("winston");

app.use((err, req, res, next) => {
  // Log full details internally with correlation ID
  const correlationId = req.id || uuid();
  logger.error({
    correlationId,
    message: err.message,
    stack: err.stack,
    url: req.url,
    user: req.user?.id
  });

  // Generic response — no internal details
  res.status(500).json({
    error: "An unexpected error occurred.",
    correlationId  // User can provide this for support
  });
});

Custom error pages in Nginx:

error_page 500 502 503 504 /50x.html;
location = /50x.html {
  root /usr/share/nginx/html;
  internal;
  # Static page — no dynamic error info
}

Defense checklist:

  • Never show raw database errors to users
  • Replace stack traces with generic messages in production
  • Log full error details to centralized, secure logging
  • Include correlation IDs to link user reports to server logs
  • Use custom error pages for 400/500 HTTP errors

Knowledge Check

0/3 correct
Q1

What useful reconnaissance information can a MySQL error message reveal to an attacker?

Q2

What is the purpose of including a correlation ID in error responses?

Q3

A stack trace shows "/var/app/config/database.yml" — what information does this give an attacker?

Code Exercise

Return Generic Error Messages

The Flask error handler returns raw exception details. Fix it to log the full error internally and return a generic message to the user.

python