This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Codereview-Error-Handling"
(New page: Error Handling is important in a number of ways. It may effect the state of the application, leak system information to a user, the initial failure to cause the error may cause the applica...) |
|||
| Line 1: | Line 1: | ||
| − | Error Handling | + | ==Error Handling== |
| − | Error Handling should be centralised | + | Error Handling important in a number of ways. It may effect the state of the application, leak system information to a user, the initial failure to cause the error may cause the application be traverse into an insecure state. |
| + | |||
| + | ===Error Handling should be centralised=== | ||
When reviewing code it is recommended to assess the commonality within the application from a error/exception handling perspective. | When reviewing code it is recommended to assess the commonality within the application from a error/exception handling perspective. | ||
Frameworks have error handling resources which can be exploited to assist in secure programming and such resources within the framework should be reviewed to assess if the error handling is "wired-up" correctly. | Frameworks have error handling resources which can be exploited to assist in secure programming and such resources within the framework should be reviewed to assess if the error handling is "wired-up" correctly. | ||
| − | Failing Securely | + | ===Declaritive Exception Handling=== |
| + | |||
| + | <exception key=”bank.error.nowonga” | ||
| + | path=”/NoWonga.jsp” | ||
| + | type=”mybank.account.NoCashException”/> | ||
| + | |||
| + | This could be found in the struts-config.xml file, a key file when reviewing the wired-up struts environment | ||
| + | |||
| + | ===Failing Securely=== | ||
| + | |||
| + | ===Information Leakage=== | ||
| − | Information | + | ===Information burial=== |
| + | Swallowing exceptions into an empty catch() block is not advised as an audit trail of the cause of the exception would be incomplete. | ||
Actions to take upon an error | Actions to take upon an error | ||
Revision as of 13:58, 19 August 2008
Error Handling
Error Handling important in a number of ways. It may effect the state of the application, leak system information to a user, the initial failure to cause the error may cause the application be traverse into an insecure state.
Error Handling should be centralised
When reviewing code it is recommended to assess the commonality within the application from a error/exception handling perspective. Frameworks have error handling resources which can be exploited to assist in secure programming and such resources within the framework should be reviewed to assess if the error handling is "wired-up" correctly.
Declaritive Exception Handling
<exception key=”bank.error.nowonga”
path=”/NoWonga.jsp”
type=”mybank.account.NoCashException”/>
This could be found in the struts-config.xml file, a key file when reviewing the wired-up struts environment
Failing Securely
Information Leakage
Information burial
Swallowing exceptions into an empty catch() block is not advised as an audit trail of the cause of the exception would be incomplete. Actions to take upon an error
