search

Stack Traces

hashtag
Check List

hashtag
Methodology

hashtag
Black Box

hashtag
Verbose Error Disclosure via Malformed JSON

1

Identify API endpoint and Send malformed JSON

POST /api/login HTTP/1.1
Host: target.com
Content-Type: application/json

{"username":"admin","password":}
2

Observe server response, If response contains stack trace

TypeError: Cannot read property 'password' of undefined
    at AuthController.login (/var/www/app/controllers/AuthController.js:47:15)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
3

If file paths, framework names, or line numbers are disclosed, stack trace exposure is confirmed

hashtag
SQL Error Trigger

1

Identify endpoint that interacts with database

2

Inject invalid input

GET /api/products?id=' HTTP/1.1
Host: target.com
3

Observe response, If database error appears

SQLSTATE[42000]: Syntax error or access violation
in /var/www/app/models/ProductModel.php on line 88
4

If backend query structure or file location is exposed, stack trace disclosure exists

5

If internal SQL details are visible, vulnerability is confirmed

hashtag
Invalid HTTP Method Handling

1

Send unsupported HTTP method

TRACE /api/user/profile HTTP/1.1
Host: target.com
2

If server returns framework-level exception

Unhandled Exception: MethodNotAllowedException
at Router.handle (/app/core/router.js:102)
3

If internal routing structure and file paths are revealed, exception handling is misconfigured

4

If raw stack trace is exposed instead of generic error message, stack trace vulnerability is confirmed

hashtag
Parameter Type Mismatch

1

Send incorrect parameter type

GET /api/users/abc HTTP/1.1
Host: target.com
2

Observe response and If server returns

NumberFormatException: For input string: "abc"
at java.lang.Integer.parseInt(Integer.java:580)
at com.app.UserController.getUser(UserController.java:63)
3

If language runtime details and source code paths are disclosed, stack trace exposure exists

4

If detailed exception information is visible in production API responses, Stack Traces vulnerability is confirmed

hashtag
White Box

hashtag
Cheat Sheet

PreviousImproper Error HandlingNextWeak Cryptography

Last updated