Failure to Catch All Exceptions in Servlet
Weakness ID: 600 (Weakness Base)Status: Draft
+ Description

Description Summary

A Servlet fails to catch all exceptions, which may reveal sensitive debugging information.

Extended Description

When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

+ Alternate Terms
Missing Catch Block
+ Time of Introduction
  • Implementation
+ Demonstrative Examples

Example 1

In the following method a DNS lookup failure will cause the Servlet to throw an exception.

(Bad Code)
Example Language: Java 
protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {
String ip = req.getRemoteAddr();
InetAddress addr = InetAddress.getByName(ip);
...
out.println("hello " + addr.getHostName());
}
+ Potential Mitigations

Implement Exception blocks to handle all types of Exceptions.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory388Error Handling
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class691Insufficient Control Flow Management
Research Concepts1000
ChildOfWeakness ClassWeakness Class755Improper Handling of Exceptional Conditions
Research Concepts (primary)1000
CanPrecedeWeakness BaseWeakness Base209Information Exposure Through an Error Message
Research Concepts1000
PeerOfWeakness ClassWeakness Class390Detection of Error Condition Without Action
Research Concepts1000
+ Maintenance Notes

The "Missing Catch Block" concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE.

+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes
2009-03-10CWE Content TeamMITREInternal
updated Alternate Terms, Description, Maintenance Notes, Name, Other Notes, Relationships
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative Examples
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Missing Catch Block
2009-03-10Failure to Catch All Exceptions (Missing Catch Block)