[Forgot Password]
Login  Register Subscribe

23631

 
 

115083

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Error Handling

ID: 388Date: (C)2012-05-14   (M)2017-11-07
Type: categoryStatus: DRAFT





Description

This category includes weaknesses that occur when an application does not properly handle errors that occur during processing.

Extended Description

An attacker may discover this type of error, as forcing these errors can occur with a variety of corrupt input.

Applicable Platforms
None

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Integrity
Confidentiality
 
Read application data
Modify files or directories
 
Generally, the consequences of improper error handling are the disclosure of the internal workings of the application to the attacker, providing details to use in further attacks. Web applications that do not properly handle error conditions frequently generate error messages such as stack traces, detailed diagnostics, and other inner details of the application.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
  Use a standard exception handling mechanism to be sure that your application properly handles all types of processing errors. All error messages sent to the user should contain as little detail as necessary to explain what happened.
 
  
  If the error was caused by unexpected and likely malicious input, it may be appropriate to send the user no error message other than a simple "could not process the request" response.
 
  
  The details of the error and its cause should be recorded in a detailed diagnostic log for later analysis. Do not allow the application to throw errors up to the application container, generally the web application server.
 
  
  Be sure that the container is properly configured to handle errors if you choose to let any errors propagate up to it.
 
  

Relationships

Related CWETypeViewChain
CWE-388 ChildOf CWE-728 Category CWE-711  

Demonstrative Examples   (Details)

  1. In the snippet below, an unchecked runtime exception thrown from within the try block may cause the container to display its default error page (which may contain a full stack trace, among other things).

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
7 Pernicious Kingdoms  Error Handling
 
 
OWASP Top Ten 2004 A7
 
Improper Error Handling
 
CWE_More_Specific
 

References:

  1. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 11: Failure to Handle Errors Correctly." Page 183'. Published on 2010.

© 2013 SecPod Technologies