R359. Avoid using generic exceptions

Requirement

The system should use typified exceptions instead of generic exceptions.

Description

Catching generic exceptions obscures the problem that caused the error and promotes a generic way to handle different categories or sources of error. This may cause security vulnerabilities to materialize, as some special flows go unnoticed.

References

  1. CWE-396: Declaration of Catch for Generic Exception. Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

  2. CWE-397: Declaration of Throws for Generic Exception. Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

  3. OWASP-ASVS v4.0.1 V4.1 General Access Control Design.(4.1.5) Verify that access controls fail securely including when an exception occurs.

  4. OWASP-ASVS v4.0.1 V7.4 Error Handling.(7.4.2) Verify that exception handling (or a functional equivalent) is used across the codebase to account for expected and unexpected error conditions.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy