Information Disclosure - Debug Error Messages
What is it?
The API endpoint or server returns a response that contains standard error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache.
Revealing standard error/debug information, allows attackers to deduce the type of the API server. This in turn enables attackers to try exploiting the server for known/unpatched vulnerabilities.
Test case FAQs
When is this test case applicable?
This is applicable for all API endpoints when the Baseline security category is enabled in test plans.
How does it work?
Responses sent by the API server are analyzed for the presence of standard error/debug messages that reveal the type of the API server.
What is the solution?
Disable debugging messages before promoting to production.