Error Handling
Category ID: 388 (Category)Status: Draft
+ Description

Description Summary

This category includes weaknesses that occur when an application does not properly handle errors that occur during processing.

Extended Description

An attacker may discover this type of error, as forcing these errors can occur with a variety of corrupt input.

+ Common Consequences
ScopeEffect
Confidentiality

Generally, the consequences of improper error handling are the disclosure of the internal workings of the application to the attacker, providing details to use in further attacks. Web applications that do not properly handle error conditions frequently generate error messages such as stack traces, detailed diagnostics, and other inner details of the application.

+ Demonstrative Examples

Example 1

In the snippet below, an unchecked runtime exception thrown from within the try block may cause the container to display its default error page (which may contain a full stack trace, among other things).

(Bad Code)
Example Language: Java 
Public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
try {
...
}
catch (ApplicationSpecificException ase) {
logger.error("Caught: " + ase.toString());
}
}
+ Potential Mitigations

Use a standard exception handling mechanism to be sure that your application properly handles all types of processing errors. All error messages sent to the user should contain as little detail as necessary to explain what happened.

If the error was caused by unexpected and likely malicious input, it may be appropriate to send the user no error message other than a simple "could not process the request" response.

The details of the error and its cause should be recorded in a detailed diagnostic log for later analysis. Do not allow the application to throw errors up to the application container, generally the web application server.

Be sure that the container is properly configured to handle errors if you choose to let any errors propagate up to it.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory18Source Code
Development Concepts (primary)699
ChildOfCategoryCategory728OWASP Top Ten 2004 Category A7 - Improper Error Handling
Weaknesses in OWASP Top Ten (2004) (primary)711
ParentOfCategoryCategory389Error Conditions, Return Values, Status Codes
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base391Unchecked Error Condition
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness BaseWeakness Base395Use of NullPointerException Catch to Detect NULL Pointer Dereference
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness BaseWeakness Base396Declaration of Catch for Generic Exception
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness BaseWeakness Base397Declaration of Throws for Generic Exception
Seven Pernicious Kingdoms (primary)700
ParentOfWeakness BaseWeakness Base544Failure to Use a Standardized Error Handling Mechanism
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base600Failure to Catch All Exceptions in Servlet
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class636Not Failing Securely ('Failing Open')
Development Concepts699
ParentOfWeakness ClassWeakness Class754Improper Check for Unusual or Exceptional Conditions
Development Concepts (primary)699
ParentOfWeakness ClassWeakness Class756Missing Custom Error Page
Development Concepts (primary)699
MemberOfViewView700Seven Pernicious Kingdoms
Seven Pernicious Kingdoms (primary)700
PeerOfWeakness BaseWeakness Base619Dangling Database Cursor ('Cursor Injection')
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious KingdomsError Handling
OWASP Top Ten 2004A7CWE More SpecificImproper Error Handling
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
28Fuzzing
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
7 Pernicious KingdomsExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-09-08CWE Content TeamMITREInternal
updated Common Consequences, Description, Relationships, Taxonomy Mappings
2008-10-14CWE Content TeamMITREInternal
updated Description
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2009-10-29CWE Content TeamMITREInternal
updated Common Consequences