Skip to main content

Technical information leak - Console functions


It is possible to obtain technical information such as:

  • System component versions (HTTP headers, service banner, etc.).
  • Specific information about the configuration of server components (php.ini, web.config).


Gather technical information to craft new attack vectors


Delete the services' banner information leakage. Verify that HTTP headers do not expose any name or version.


Authenticated attacker from the Internet


Default score using CVSS 3.1. It may change depending on the context of the vulnerability.


  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: N
  • Availability: N


  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X


  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 0.0
    • Temporal: 0.0
  • Severity:
    • Base: None
    • Temporal: None


In front-end programming, JavaScript's Console object provides access to the browser's debugging console1. Arguments passed to log, warn and error methods are visible to the user that is using the website, it's also visible to attackers.

As per Fluid Attacks' criteria2 the application must not disclose internal system information such as stack traces because this information can be leveraged to further exploit other vulnerabilities.

Developers tend to do debugging the following way:

try { /* Business logic code goes here ... */ }
catch (err) {

But this ends in lots of information that attackers use to better understand the inner workings on the system, aiding them in creating and improving attack vectors.

Error: <rect> attribute x: Expected length, "NaN".
(anonymous) @
Error: <rect> attribute y: Expected length, "NaN".
(anonymous) @
Error: <rect> attribute transform: Expected number, "rotate(NaN, NaN, NaN)".