Difference between revisions of "Improper error handling"

From OWASP
Jump to: navigation, search
 
 
(8 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
{{Template:SecureSoftware}}
 +
{{Template:Vulnerability}}
  
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
{{Template:SecureSoftware}}
+
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
==Overview==
+
==Description==
  
 
Sometimes an error is detected, and bad or no action is taken.  
 
Sometimes an error is detected, and bad or no action is taken.  
  
==Consequences ==
+
'''Consequences'''
  
 
Undefined.
 
Undefined.
  
==Exposure period ==
+
'''Exposure period'''
  
 
Implementation: This is generally a logical flaw or a typo introduced completely at implementation time.  
 
Implementation: This is generally a logical flaw or a typo introduced completely at implementation time.  
  
==Platform ==
+
'''Platform'''
  
 
Languages: All
 
Languages: All
Line 21: Line 24:
 
Operating platforms: All
 
Operating platforms: All
  
==Required resources ==
+
'''Required resources'''
  
 
Any
 
Any
  
==Severity ==
+
'''Severity'''
  
 
Medium
 
Medium
  
==Likelihood  of exploit ==
+
'''Likelihood  of exploit'''
  
 
Medium
 
Medium
  
==Avoidance and mitigation ==
+
If a function returns an error, it is important to either fix the problem and try again, alert the user that an error has happened and let the program continue, or alert the user and close and cleanup the program.
  
Implementation: Properly handle each exception. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment.
 
  
==Discussion ==
+
==Risk Factors==
  
If a function returns an error, it is important to either fix the problem and try again, alert the user that an error has happened and let the program continue, or alert the user and close and cleanup the program.
+
TBD
  
==Examples ==
+
==Examples==
  
 
In C:
 
In C:
  
 +
<pre>
 
foo=malloc(sizeof(char);
 
foo=malloc(sizeof(char);
 
//the next line checks to see if malloc failed
 
//the next line checks to see if malloc failed
Line 50: Line 53:
 
//We do nothing so we just ignore the error.
 
//We do nothing so we just ignore the error.
 
}
 
}
 
+
</pre>
  
 
In C++ and Java:
 
In C++ and Java:
  
 +
<pre>
 
while (DoSomething()) {
 
while (DoSomething()) {
 
   try {
 
   try {
Line 62: Line 66:
 
   }
 
   }
 
}
 
}
==Related problems ==
+
</pre>
  
Not available.
 
  
==Categories ==
+
==Related [[Attacks]]==
  
[[Category:Vulnerability]]
+
* [[Attack 1]]
 +
* [[Attack 2]]
  
[[Category:General Logic Errors]]
+
 
 +
==Related [[Vulnerabilities]]==
 +
 
 +
* [[Vulnerability 1]]
 +
* [[Vulnerabiltiy 2]]
 +
 
 +
 
 +
==Related [[Controls]]==
 +
 
 +
* Implementation: Properly handle each exception. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment.
 +
 
 +
==Related [[Technical Impacts]]==
 +
 
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 
 +
 
 +
==References==
 +
 
 +
TBD
 +
 
 +
 
 +
__NOTOC__
 +
 
 +
 
 +
[[Category:OWASP ASDR Project]]
 +
[[Category:Vulnerability]]
 +
[[Category:Error Handling Vulnerability]]
 +
[[Category:General Logic Error Vulnerability]]
 +
[[Category:OWASP_CLASP_Project]]

Latest revision as of 08:16, 24 February 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Last revision (mm/dd/yy): 02/24/2009

Vulnerabilities Table of Contents

Description

Sometimes an error is detected, and bad or no action is taken.

Consequences

Undefined.

Exposure period

Implementation: This is generally a logical flaw or a typo introduced completely at implementation time.

Platform

Languages: All

Operating platforms: All

Required resources

Any

Severity

Medium

Likelihood of exploit

Medium

If a function returns an error, it is important to either fix the problem and try again, alert the user that an error has happened and let the program continue, or alert the user and close and cleanup the program.


Risk Factors

TBD

Examples

In C:

foo=malloc(sizeof(char);
//the next line checks to see if malloc failed
if (foo==0) {
//We do nothing so we just ignore the error.
}

In C++ and Java:

while (DoSomething()) {
  try {
    /* perform main loop here */
  }
  catch (Exception &e){
    /* do nothing, but catch so it'll compile... */
  }
}


Related Attacks


Related Vulnerabilities


Related Controls

  • Implementation: Properly handle each exception. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment.

Related Technical Impacts


References

TBD