I don't think anybody can exploit my application with the help of the error messages it displays or can they?
Error messages can give out a whole lot of information about the application.
Sometimes during the design and development stages we miss out on customizing the error messages. The application may give out information about the architecture or the business details etc. All such information helps an adversary plan further attacks.
One common issue I've seen is getting details about the database on entering unexpected inputs. Let's see how this is possible: consider an application uses Oracle as the backend database and does not handle errors properly. An adversary enters some unexpected input in a form field and sends the request to the server. The sever sends back a error message which says "Error parsing and updating transaction request -ORA-20000". This clearly tells the adversary that Oracle is being used at the backend and now he can carry refine his attacks based on this information.
As a best practice, no architectural details should be disclosed to the user.
This article explains
Chris Anley's advanced SQL Injection paper explains how to use error messages to fine-tune a SQL Injection attack.