E01 Verbose Error Handling

What this means

SiteShadow flagged responses/logging that may expose too much internal detail to end users (stack traces, file paths, SQL errors, secrets, internal hostnames).

Why it matters

Verbose errors can leak stack traces, file paths, or sensitive data.

Easier exploitation: attackers learn frameworks, table names, endpoints, and versions.
Secret leakage: tokens/keys sometimes appear in exception messages or debug dumps.
Privacy exposure: user data can leak via "helpful" error messages.

Safer examples

1) Return safe error messages to clients

res.status(500).json({ error: "Something went wrong", code: "INTERNAL_ERROR" });

2) Log details server-side (with redaction)

Keep verbose errors in logs (restricted access).
Redact secrets and PII before logging.

3) Disable debug in production

Ensure framework "debug mode" is off in prod (see C01 / A05).

How SiteShadow detects it (high level)

Flags known patterns for returning stack traces/raw exceptions in HTTP responses.
Detects "debug mode" settings and error handlers that reflect exception objects to clients.

References

CWE-209: https://cwe.mitre.org/data/definitions/209.html

---

← Back to Vulnerability Library

Request access View coverage