Is use of Stacktraces in live website dangerous?

**Juany** · 19-01-2010

Hello to all,
I am new to this forum. I am working on multiple Sitecore websites and one of my friend said me it might be dangerous to have stacktraces available to users of the website when you get errors. Can anyone tell me is use of Stacktraces in live website dangerous? Is it vulnerable to hackers? Please help me.
Thanks in advanced.

**Praetor** · 19-01-2010

Yes it is dangerous to have Stacktraces in live website. Depending on what the exception in case is, you are actually explore information about your system to other users and hackers can take advantage of it.
For example, If your stack trace could be showing errors coming from the sql then other person can come to know that SQL Server is the part of setup. It also tells the other person, which .NET calls are being made, when causing the error.

**Katty** · 19-01-2010

As per my knowledge use of stacktraces is very harmful than providing good result. It potentially help an attacker 'profile' your web site and related software. If they are able to see database module of your project then they can craft an attack based on that database software. In this case you have to add some "security through obscurity" to stay away from such type of problem.

**kelfro** · 19-01-2010

Hey why you don't send error directly to admin or logged somewhere using email. If you don't want to show error to user then you can directly send error to admin or logged somewhere. For this you have to use "automated email" service. Whenever an error occurs an email containing error message is automatically send to admin. Through this process you can hide information about error from other user.

**Zecho** · 19-01-2010

Yes it is harmful to use Stacktraces in live website dangerous. Let's look at following example.
Session["username"] = user; if("denied" != getPermission(Session["username"])) redirect("login error")
Hey look at this common security bug, now combined that with giving information. Now it is possible for hacker to know an exception. If he can use that information to cause an exception when calling getPermission he will no longer be redirected. So only the stacktrace is usually not that dangerous but combined with more information they will weaken your security system.