| name | verbose-error-messages-anti-pattern |
| description | Security anti-pattern for verbose error messages (CWE-209). Use when generating or reviewing code that handles errors, exceptions, or generates user-facing error responses. Detects stack trace exposure and detailed error information leakage to users. |
Verbose Error Messages Anti-Pattern
Severity: Medium
Summary
Applications expose internal information (stack traces, database errors, file paths, configuration details) in error messages, enabling attackers to understand architecture, identify vulnerabilities, and craft targeted attacks. Suppress detailed errors in production.
The Anti-Pattern
The anti-pattern is presenting raw exception messages or system errors directly to end-users.
BAD Code Example
from flask import Flask, request, jsonify
import sqlite3
app = Flask(__name__)
@app.route("/user_profile")
def user_profile():
user_id = request.args.get("id")
try:
conn = sqlite3.connect("database.db")
cursor = conn.cursor()
cursor.execute(f"SELECT username, email FROM users WHERE id = {user_id}")
user_data = cursor.fetchone()
conn.close()
if user_data:
return jsonify({"username": user_data[0], "email": user_data[1]})
else:
return "User not found", 404
except Exception as e:
return f"An internal server error occurred: {str(e)}", 500
GOOD Code Example
from flask import Flask, request, jsonify
import sqlite3
import logging
import traceback
app = Flask(__name__)
logging.basicConfig(level=logging.ERROR, format='%(asctime)s - %(levelname)s - %(message)s')
@app.route("/user_profile_secure")
def user_profile_secure():
user_id = request.args.get("id")
try:
conn = sqlite3.connect("database.db")
cursor = conn.cursor()
cursor.execute("SELECT username, email FROM users WHERE id = ?", (user_id,))
user_data = cursor.fetchone()
conn.close()
if user_data:
return jsonify({"username": user_data[0], "email": user_data[1]})
else:
return "User not found", 404
except Exception as e:
error_id = str(uuid.uuid4())
logging.error(f"Error ID: {error_id}. Detailed error: {e}\n{traceback.format_exc()}")
return jsonify({
"error": "An internal server error occurred.",
"message": "Please try again later. If the problem persists, contact support with Error ID: " + error_id
}), 500
@app.route("/login")
def login():
username = request.form.get("username")
password = request.form.get("password")
if not authenticate_user(username, password):
return jsonify({"message": "Invalid credentials"}), 401
return jsonify({"message": "Login successful"}), 200
Detection
- Review error handling code: Look for
try...except blocks or global error handlers. Check what information is returned to the user in the except block.
- Test with invalid inputs: Deliberately trigger errors by providing malformed data, invalid IDs, or non-existent resources. Observe the error messages returned by the application.
- Check server configurations: Ensure that web servers (Apache, Nginx) and application frameworks (Spring, Django, Flask) are configured to suppress detailed errors and custom 500 error pages in production.
Prevention
Related Security Patterns & Anti-Patterns
References
