Descriptive Error Message Using invalid payloads
Verifies error messages for sensitive information leakage, specifically preventing the exposure of stack traces, enhancing application security.
Verbose Error Messages (VEM)
How this template works
The template uses the "contains_either" filter to select API requests that have the HTTP methods "PUT", "POST", or "PATCH". This filter ensures that only these specific methods are targeted for testing.
The template specifies a single request to be executed. It replaces the request body with a random payload containing special characters and emojis. This payload is used to test the error messages generated by the API when invalid payloads are provided.
The template validates the response payload by checking if it contains any of the specified keywords such as "column", "row", "line", "function", "class", "stack", or "trace". If any of these keywords are found in the response, it indicates that sensitive information may be leaked in the error messages, which can be exploited by attackers.
Frequently asked questions
What is the purpose of the DESCRIPTIVE_ERROR_MESSAGE test
How does the DESCRIPTIVE_ERROR_MESSAGE test impact application security
What is the category and subcategory of the DESCRIPTIVE_ERROR_MESSAGE test
What are the severity and impact levels associated with the DESCRIPTIVE_ERROR_MESSAGE test
What are the recommended HTTP methods for applying the DESCRIPTIVE_ERROR_MESSAGE test
What are the references for further information on improper error handling