Error HandlingID: 388 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: category | Status: DRAFT |
Description
This category includes weaknesses that occur when an
application does not properly handle errors that occur during
processing.
Extended DescriptionAn attacker may discover this type of error, as forcing these errors can
occur with a variety of corrupt input.
Applicable PlatformsNone
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
IntegrityConfidentiality | Read application
dataModify files or
directories | Generally, the consequences of improper error handling are the
disclosure of the internal workings of the application to the attacker,
providing details to use in further attacks. Web applications that do
not properly handle error conditions frequently generate error messages
such as stack traces, detailed diagnostics, and other inner details of
the application. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
| | Use a standard exception handling mechanism to be sure that your
application properly handles all types of processing errors. All error
messages sent to the user should contain as little detail as necessary
to explain what happened. | | |
| | If the error was caused by unexpected and likely malicious input, it
may be appropriate to send the user no error message other than a simple
"could not process the request" response. | | |
| | The details of the error and its cause should be recorded in a
detailed diagnostic log for later analysis. Do not allow the application
to throw errors up to the application container, generally the web
application server. | | |
| | Be sure that the container is properly configured to handle errors if
you choose to let any errors propagate up to it. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-388 ChildOf CWE-728 | Category | CWE-711 | |
Demonstrative Examples (Details)
- In the snippet below, an unchecked runtime exception thrown from
within the try block may cause the container to display its default error
page (which may contain a full stack trace, among other
things).
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
7 Pernicious Kingdoms | | Error Handling | |
OWASP Top Ten 2004 | A7 | Improper Error Handling | CWE_More_Specific |
References:
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 11: Failure to Handle Errors Correctly." Page
183'. Published on 2010.