# Generation of Error Message Containing Sensitive Information (CWE-209) The product generates an error message that includes sensitive information about its environment, users, or associated data. **Stack:** JavaScript - Prevalence: 보통 3개 언어 지원 - Impact: 보통 검토 권장 - Prevention: 문서화됨 5개의 수정 예시 **OWASP:** Insecure Design (A04:2021-Insecure Design) - #4 ## Description The sensitive information may be valuable information on its own, or it may be useful for launching other, more serious attacks. The error message may be created in different ways, and the information that is included can range widely. ## Prevention 2개의 Shoulder 탐지 규칙을 기반으로 한 Error Message Information Leak 예방 전략. ### JavaScript Return generic error messages to users and log detailed errors server-side Configure errorFormatter to strip stack traces in production and use TRPCError with generic messages ## Warning Signs - [MEDIUM] exposure of sensitive error information (error - [MEDIUM] Error handling exposes implementation details. Use error formatter to sanitize errors in production. ## Consequences - 애플리케이션 데이터 읽기 - 파일 또는 디렉터리 읽기 ## Mitigations - 예외는 내부에서 처리하고 사용자에게 오류를 노출하지 마세요 - 404, 500 등 HTTP 오류용 기본 오류 페이지를 만드세요 - 서버에는 상세 오류를 기록하되 사용자에게는 일반적인 메시지만 보여주는 적절한 오류 처리를 구현하세요 ## Detection - Total rules: 5 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (2 rules) - **Information Exposure Through Error Messages** [MEDIUM]: Detects exposure of sensitive error information (error.message, error.stack, raw error objects) in HTTP responses. This can leak: - Internal file paths and directory structure - Database schema and query details - Third-party API endpoints and credentials - Software versions and technology stack - Business logic and validation rules Attackers use this information to: - Map internal architecture - Identify vulnerable dependencies - Craft targeted attacks - Bypass security controls - Remediation: Return generic error messages to users and log detailed errors server-side. ```javascript } catch (error) { logger.error('Failed', { error: error.message }); res.status(500).json({ error: 'An error occurred' }); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-209/error-message-exposure - **tRPC Error Information Disclosure** [MEDIUM]: Exposing raw errors, stack traces, or database details to clients aids attackers in reconnaissance and exploitation. - Remediation: Use errorFormatter to sanitize errors in production. ```typescript export const t = initTRPC.context().create({ errorFormatter({ shape }) { return { ...shape, data: { ...shape.data, stack: process.env.NODE_ENV === 'production' ? undefined : shape.data.stack } }; } }); ``` Learn more: https://shoulder.dev/learn/typescript/cwe-209/error-information-leak ### Typescript (2 rules) - **Information Exposure Through Error Messages** [MEDIUM]: Detects exposure of sensitive error information (error.message, error.stack, raw error objects) in HTTP responses. This can leak: - Internal file paths and directory structure - Database schema and query details - Third-party API endpoints and credentials - Software versions and technology stack - Business logic and validation rules Attackers use this information to: - Map internal architecture - Identify vulnerable dependencies - Craft targeted attacks - Bypass security controls - Remediation: Return generic error messages to users and log detailed errors server-side. ```javascript } catch (error) { logger.error('Failed', { error: error.message }); res.status(500).json({ error: 'An error occurred' }); } ``` Learn more: https://shoulder.dev/learn/javascript/cwe-209/error-message-exposure - **tRPC Error Information Disclosure** [MEDIUM]: Exposing raw errors, stack traces, or database details to clients aids attackers in reconnaissance and exploitation. - Remediation: Use errorFormatter to sanitize errors in production. ```typescript export const t = initTRPC.context().create({ errorFormatter({ shape }) { return { ...shape, data: { ...shape.data, stack: process.env.NODE_ENV === 'production' ? undefined : shape.data.stack } }; } }); ``` Learn more: https://shoulder.dev/learn/typescript/cwe-209/error-information-leak