This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CRV2 AntiPattern"
| Line 9: | Line 9: | ||
Error information for a hacker is like a bone to a dog; “Something good to chew on“. Without controlling what error information is shown to a user the application may release information such as platform target code is running on, database being used, computer language, etc. The significance of each piece of information allows the hacker to quickly narrow what tools he uses and what vulnerabilities he might try to exploit. | Error information for a hacker is like a bone to a dog; “Something good to chew on“. Without controlling what error information is shown to a user the application may release information such as platform target code is running on, database being used, computer language, etc. The significance of each piece of information allows the hacker to quickly narrow what tools he uses and what vulnerabilities he might try to exploit. | ||
===.Net=== | ===.Net=== | ||
| + | =====What is the flaw?===== | ||
| + | =====Secure Design Recommendation:===== | ||
| + | At minimum exception handling should have... | ||
| + | } catch (Exception ex) {YourLogger.Log(ex); throw;} | ||
| + | =====Review Criteria===== | ||
| + | Static analysis tools like .CatNet are good at finding information leakage from exceptions. Code review needs to understand how expect ions and unhanded exceptions are handled by the program. | ||
Revision as of 21:59, 16 June 2013
Introduction
In software engineering, a design pattern is a reusable solution to a common occurring problem that can be generalized to be used a numerous contexts of software design.
Anti-patterns are commonly used patterns used in software engineering but are ineffective, counterproductive, and may result in software vulnerabilities.
The Code Review Guide will focus on anti-design patterns that help create in-secure code/applications.
Exceptions:
Error information for a hacker is like a bone to a dog; “Something good to chew on“. Without controlling what error information is shown to a user the application may release information such as platform target code is running on, database being used, computer language, etc. The significance of each piece of information allows the hacker to quickly narrow what tools he uses and what vulnerabilities he might try to exploit.
.Net
What is the flaw?
Secure Design Recommendation:
At minimum exception handling should have...
} catch (Exception ex) {YourLogger.Log(ex); throw;}
Review Criteria
Static analysis tools like .CatNet are good at finding information leakage from exceptions. Code review needs to understand how expect ions and unhanded exceptions are handled by the program.
