# System Information Leakage

#### Tools recognizing this:

<kbd>Opengrep</kbd> <kbd>Fortify</kbd> <kbd>Checkmarx</kbd> <kbd>SonarQube</kbd> <kbd>Snyk</kbd> <kbd>Semgrep</kbd> <kbd>CodeQL</kbd>

## What is System Information Leakage and How Does it Work?

System Information Leakage occurs when an application inadvertently reveals sensitive technical information, such as stack traces, error messages, or system details. This information can be valuable to attackers, helping them understand the system's architecture and potential vulnerabilities.

The exposed information might include:

* Stack traces with internal code paths
* Database error messages
* Server versions and technologies
* Internal IP addresses or hostnames
* System file paths
* Debug information

This guide covers System Information Leakage, examples, prevention methods, and how to secure your application using real-world techniques.

## One Simple System Information Leakage Example

Consider this common example of error handling:

{% code overflow="wrap" %}

```
try {
    processRequest();
} catch (Exception e) {
    response.sendError(500, e.toString());
}
```

{% endcode %}

This could expose sensitive information like:

<mark style="color:red;">`java.sql.SQLException: Error executing query at line 42 in /var/www/app/dao/UserDAO.java`</mark>

The error message reveals: <kbd>Internal file paths</kbd><kbd><mark style="color:red;">Implementation details<mark style="color:red;"></kbd><kbd>Database information</kbd>

## System Information Leakage Prevention Methods: How to Fix Your Code

The most effective way to fix System Information Leakage is to implement proper error handling with custom error messages and logging. This involves catching specific exceptions, logging them securely, and showing generic error messages to users.

### Code Samples

{% tabs %}
{% tab title="Java" %}
**Vulnerable Code**

<pre class="language-java"><code class="lang-java">try {
    processRequest();
} catch (Exception e) {
    <a data-footnote-ref href="#user-content-fn-1">logger.error(e.getMessage(), e);</a>
    response.sendError(500, e.toString());
}
</code></pre>

**Fixed Code**

```java
try {
    processRequest();
} catch (Exception e) {
    String errorId = generateErrorId();
    logger.error("Unexpected error: " + errorId, e);
    response.sendError(500, "An unexpected error occurred. Reference: " + errorId);
}
```

**Fix Explanation**

The vulnerable code exposes detailed error information to users.The fix generates a unique error ID for tracking.Internal details are logged securely but hidden from users.Users receive a generic message with a reference ID.
{% endtab %}

{% tab title="JavaScript" %}
**Vulnerable Code**

```javascript
app.use((err, req, res, next) => {
    console.error(err.stack);
    res.status(500).send(err.stack);
});
```

**Fixed Code**

```javascript
app.use((err, req, res, next) => {
    const errorId = generateUniqueId();
    console.error(`Error ${errorId}:`, err);
    res.status(500).json({
        error: 'Internal Server Error',
        reference: errorId
    });
});
```

**Fix Explanation**

The vulnerable code sends stack traces directly to clients.The fix implements a custom error handler with unique IDs.Error details are logged server-side only.Clients receive a sanitized JSON response with reference ID.
{% endtab %}

{% tab title="Python" %}
**Vulnerable Code**

```python
try:
    process_request()
except Exception as e:
    logging.error(str(e))
    return jsonify({'error': str(e)}), 500
```

**Fixed Code**

```python
try:
    process_request()
except Exception as e:
    error_id = generate_error_id()
    logging.error(f"Error {error_id}: {str(e)}", exc_info=True)
    return jsonify({
        'error': 'Internal Server Error',
        'reference': error_id
    }), 500
```

**Fix Explanation**

The vulnerable code exposes exception details in the response.The fix implements error tracking with unique identifiers.Full error details are logged securely.Users receive a generic error message with reference ID.
{% endtab %}

{% tab title="C#" %}
**Vulnerable Code**

```csharp
try
{
    ProcessRequest();
}
catch (Exception ex)
{
    _logger.LogError(ex.ToString());
    return StatusCode(500, ex.Message);
}
```

**Fixed Code**

```csharp
try
{
    ProcessRequest();
}
catch (Exception ex)
{
    var errorId = Guid.NewGuid().ToString();
    _logger.LogError(ex, "Error {ErrorId}: {Message}", errorId, ex.Message);
    return StatusCode(500, new
    {
        Error = "An unexpected error occurred",
        Reference = errorId
    });
}
```

**Fix Explanation**

The vulnerable code returns exception messages to clients.The fix generates a GUID for error tracking.Structured logging captures full error details.Users receive a safe error response with reference ID.
{% endtab %}

{% tab title="PHP" %}
**Vulnerable Code**

```php
try {
    processRequest();
} catch (Exception $e) {
    error_log($e->getMessage());
    http_response_code(500);
    echo $e->getMessage();
}
```

**Fixed Code**

```php
try {
    processRequest();
} catch (Exception $e) {
    $errorId = uniqid('err_');
    error_log("Error $errorId: " . $e->getMessage());
    http_response_code(500);
    echo json_encode([
        'error' => 'Internal Server Error',
        'reference' => $errorId
    ]);
}
```

**Fix Explanation**

The vulnerable code displays exception messages to users.The fix generates unique error identifiers.Error details are logged but not exposed.Users receive a JSON response with reference ID.
{% endtab %}

{% tab title="C/C++" %}
**Vulnerable Code**

```cpp
try {
    processRequest();
} catch (const std::exception& e) {
    syslog(LOG_ERR, e.what());
    std::cout << "Error: " << e.what() << std::endl;
}
```

**Fixed Code**

```cpp
try {
    processRequest();
} catch (const std::exception& e) {
    std::string errorId = generateErrorId();
    syslog(LOG_ERR, "Error %s: %s", errorId.c_str(), e.what());
    std::cout << "Internal Error. Reference: " << errorId << std::endl;
}
```

**Fix Explanation**

The vulnerable code prints exception details to output.The fix implements error tracking with unique IDs.Full error details are logged securely.Users see only a reference ID for support.
{% endtab %}
{% endtabs %}

## Need more help in preventing System Information Leakage?

[Mobb](https://mobb.ai) supports fixing many forms of System Information Leakage vulnerabilities, and can mitigate your issues in batch.

Start now for free at [app.mobb.ai](https://app.mobb.ai)

### We'd love your feedback!

We're excited to hear your thoughts and ideas about fixing vulnerabilities.

[Book a meeting](https://calendly.com/mobbai/demo) or [Contact us](https://content.mobb.ai/contact) if you have any corrections, questions or suggestions. Start now for free at <https://app.mobb.ai>

[^1]: This is the vulnerable part


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.mobb.ai/mobb-user-docs/fixing-guides/system-info-leak-fix-guide.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.