SCP07 Error Handling and Logging

What this means

SiteShadow flagged error handling and logging patterns that expose too much information or leak sensitive data (stack traces to users, secrets in logs, overly detailed auth errors).

Why it matters

Verbose errors and sensitive logs aid attackers.

Information disclosure: stack traces reveal internals, paths, queries, or secrets.
Credential leakage: tokens/passwords in logs are easy to exfiltrate (see L01 / CWE-532).
Attack acceleration: detailed errors help attackers iterate faster.

Safer examples

1) Return generic errors to clients, log details server-side

Expose minimal details to users; keep diagnostics in protected logs.

2) Redact sensitive fields before logging

def redact(s: str) -> str:
    return (s[:4] + "…") if s else ""

3) Avoid "user not found" vs "wrong password"

Use uniform auth error messages and rate limits (see A07 / CWE-799).

How SiteShadow detects it (high level)

Detects patterns like returning stack traces, logging request bodies/headers, or logging token-like strings.
Flags sensitive data flows into logging sinks and overly descriptive error messages in auth flows.

References

OWASP Secure Coding Practices: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/

---

← Back to Vulnerability Library

Request access View coverage