Documentation
  • 🍻Intro
    • Why API Security is Critical?
    • Pynt at a Glance
    • Who Should Use Pynt?
  • 👩‍💻API Security Testing
    • Security Testing Overview
    • Prerequisites for Running Pynt Scans
    • How to Install Pynt CLI
    • How to install Pynt Binary (Linux only)
    • Pynt CLI Modes
      • 🔵Pynt Command CLI Mode
      • 🔵Pynt Listen CLI Mode
    • Pynt Security Tests Coverage
      • Business Logic Tests
      • Injection Tests
      • Authentication Bypass Tests
      • Mass Assignment Tests
      • Server-Side Request Forgery Tests
      • Stack Trace In Response
      • Lack of Resources and Rate Limiting
      • File Path Manipulation
      • GraphQL Introspection Vulnerability
      • GraphQL Alias Overloading
      • LLM APIs Vulnerabilities
      • Insecure Transport Scheme
      • Basic Authentication
      • HTTP Desynchronization (Desync) Attack
    • Sensitive Data Exposure Detection
    • Pynt Scans Troubleshooting
      • Pynt CLI Troubleshooting
      • Pynt for Postman Troubleshooting
        • Troubleshoot Pynt Container not Running Error
        • Troubleshoot Empty API Key Error
        • Troubleshoot Unauthorized API Key Error
        • Troubleshoot Collection Not Found Error
        • Troubleshoot Non-Unique Collection Name Error
        • Troubleshoot Empty Collection Identifier Error
        • Troubleshoot Unreachable Target Error
        • Troubleshoot Target Responds with Errors Error
        • Troubleshoot Unresolved Target Domain Error
        • Troubleshoot Unresolved Variable Error
        • Troubleshoot TLS Handshake Fail Error
        • Troubleshoot Few Requests Error
        • Troubleshoot One User Only Error
        • Troubleshoot Failed Assertions Error
    • How To
      • How to Run Business Logic Tests with Pynt
      • How to associate a Pynt scan to an Application in Pynt Dashboard
      • How to tag a scan in Pynt
    • Benchmarks
      • Pynt vs OWASP crAPI
  • 🤲Security Testing Integrations
    • 🟠Pynt with API Testing Tools
      • 🔘Pynt for Postman
        • Fork Pynt Collection
        • Run Pynt Container
        • Run Pynt in Postman
        • View Scan Results in Postman
      • 🔘Pynt for Insomnia
      • 🔘Pynt for ReadyAPI
    • 🟠Pynt with API Testing CLIs
      • 🔘Pynt for Newman (Postman CLI)
      • 🔘Pynt for TestRunner (ReadyAPI CLI)
    • 🟠Pynt with Testing Frameworks
      • 🔘Pynt for Selenium
      • 🔘Pynt for Rest Assured
      • 🔘Pynt for Jest
      • 🔘Pynt for pytest
      • 🔘Pynt for Go
      • 🔘Pynt for JMeter
    • 🟠Pynt on CI/CD
      • ❗How to get Pynt ID for CI/CD Authentication
      • 🔘Pynt for GitHub Actions
      • 🔘Pynt for Azure DevOps Pipelines
      • 🔘Pynt for GitLab
      • 🔘Pynt for Jenkins
    • 🟠Pynt with Burp Suite
    • 🟠Pynt with Browsers
      • 🔘Pynt for Firefox Browser
    • 🟠Live Traffic Connectors
      • 🔘eBPF
        • 🔘Key Components
      • 🔘Traffic Mirroring
    • 🟠Advanced Pynt Examples
      • 🔘Pynt as a Standalone Container
      • 🔘Pynt with Prerecorded Har Files
      • 🔘Pynt with cURL
  • 🈸Applications View
    • Application View Overview
    • Manage Applications
      • Add Application
      • Delete Application
      • Rename Application
    • Manage Sources for API Discovery
      • Add Source
      • Delete Source
      • View Source Info
      • Source Categories
        • API Documentation
          • Swagger
          • Postman Collection
        • API Gateways
          • AWS API Gateway
          • Azure API Gateway
          • Kong API Gateway
          • GCP API Gateway
          • Gravitee API Gateway
        • Testing (API Security Scans)
        • Live Traffic
          • Data Collection with eBPF
          • ALB Traffic Capture with AWS Traffic Mirroring
        • Code Repository
    • Application Dashboard
    • Generate Pentest Report
  • 📚API Catalog
    • API Catalog Overview
    • Navigate API Catalog
      • Filtering API Catalog by Application
      • API Catalog Customization
      • API Related Info
      • APIs at Risk
    • Manage API Source Gaps
      • New APIs
      • Untested APIs
      • Shadow APIs
      • Undocumented APIs
    • View Detailed Endpoint Info
  • ⏪Scan History
    • Scan History Overview
    • Navigate Scan History
      • Associating Scans with Specific Application
      • Filtering by Application
      • Scan Related Info
      • Scan History Customization
    • View Detailed Scan Info
    • Associate Vulnerabilities to Tickets with JIRA
  • Account Management
    • Single Sign-On (SSO)
      • Setting up Okta
      • Setting up Entra ID
Powered by GitBook
On this page
  • Introduction
  • What are the common mistakes made by developers?
  • How can I fix returned stack trace issues?
  • Test cases in this category
  1. API Security Testing
  2. Pynt Security Tests Coverage

Stack Trace In Response

Discover Pynt's documentation on security tests for stack trace in response vulnerabilities! Learn how Pynt secures your APIs against potential exposure of sensitive information.

At a Glance: 🛠️ Stack Trace in Response occurs when an application exposes its internal stack trace in the API response, revealing sensitive implementation details to attackers. This can give attackers valuable information about the application’s structure, libraries, and environment, making it easier to exploit vulnerabilities. It’s essential to remove or sanitize stack traces from responses in production environments to prevent exposing critical details.

Introduction

A stack trace is a list of function calls that shows the flow of execution of a program. It can contain information about the names and locations of functions, variables, and parameters used in the code. If a stack trace is returned in an API response, it can reveal details about the server-side implementation of the API, including the programming language, framework, and libraries used, as well as the file path and line numbers of the code that threw the error.

Returning stack traces in API responses is generally not a good idea because it can expose sensitive information about your server and potentially compromise its security.

What are the common mistakes made by developers?

There could be a few reasons why you are seeing stack traces returned by your API:

  1. Some programming languages and frameworks have a "debug mode" which is used during development to help diagnose issues. When debug mode is enabled, stack traces may be returned in API responses. However, it's important to disable debug mode in production environments to prevent sensitive information from being exposed.

  2. Error Handling: If your API is not handling errors correctly, it may be returning stack traces to clients. This can happen if your API is not configured to catch and handle exceptions in a way that prevents stack traces from being displayed.

How can I fix returned stack trace issues?

It's important to ensure that your API is properly configured to handle errors and that stack traces are not returned to clients in production environments. You should also consider implementing custom error messages that provide enough information for clients to understand the problem without revealing sensitive information. This can help improve the security of your API and prevent potential attacks.

For example: to disable stack traces returned by Flask, you can set the debug configuration option to False in your Flask application. Here's an example:

from flask import Flask

app = Flask(__name__)
app.config['DEBUG'] = False

# Your Flask routes and application code here

When debug is set to True, Flask will return detailed error messages including stack traces. By setting it to False, Flask will return a simpler error message that does not include a stack trace.

It's important to note that you should disable debug mode in production environments to prevent sensitive information from being exposed. In development environments, you can still use the stack trace for debugging purposes, but it should not be exposed to clients.

Test cases in this category

This test case checks for stack traces returned in responses

Test case
OWASP
CWE

[ST001] Stack trace in response

PreviousServer-Side Request Forgery TestsNextLack of Resources and Rate Limiting

Last updated 7 months ago

👩‍💻
API7 OWASP API Top 10
CWE-388