Title

The application must not be subject to error handling vulnerabilities. (Cat II impact)

Discussion

Error handling is the failure to check the return values of functions or catch top level exceptions within a program. Improper error handling in an application can lead to an application failure or possibly result in the application entering an insecure state. The primary way to detect error handling vulnerabilities is to perform code reviews. If a manual code review cannot be performed, static code analysis tools should be employed in conjunction with tests to help force the error conditions by specifying invalid input (such as fuzzed data and malformed filenames) and by using different accounts to run the application. These tests may give indications of vulnerability, but they are not comprehensive. In order to minimize error handling errors, ensure proper return code and exception handling is implemented throughout the application.

Check Content

Review the application documentation, code review reports and the results from static code analysis tools. Identify the most recent security scans and code analysis testing conducted. Verify testing configuration includes tests for error handling issues. Check test results for identified error handling vulnerabilities within the application. If the test results indicate the existence of error handling vulnerabilities and no remediation evidence is presented, this is a finding. If no test results are available for review, this is a finding.

Fix Text

Ensure proper return code and exception handling is implemented throughout the application.

Additional Identifiers

Rule ID: SV-222656r879887_rule

Vulnerability ID: V-222656

Group Title: SRG-APP-000516

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.