[Forgot Password]
Login  Register Subscribe

23631

 
 

126941

 
 

98250

 
 

909

 
 

79281

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Uncaught Exception in Servlet

ID: 600Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

Extended Description

When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

Applicable Platforms
None

Time Of Introduction

  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
Availability
 
Read application data
DoS: crash / exit / restart
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 Implement Exception blocks to handle all types of Exceptions.
 
  

Relationships

Related CWETypeViewChain
CWE-600 ChildOf CWE-889 Category CWE-888  

Demonstrative Examples   (Details)

  1. In the following method a DNS lookup failure will cause the Servlet to throw an exception. (Demonstrative Example Id DX-39)

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
CERT Java Secure Coding ERR01-J
 
Do not allow exceptions to expose sensitive information
 
 

References:
None

© 2013 SecPod Technologies