The system should use typified exceptions instead of generic exceptions.
Catching generic exceptions obscures the problem that caused the error and promotes a generic way to handle different categories or sources of error. This may cause security vulnerabilities to materialize, as some special flows go unnoticed.
CWE-396: Declaration of Catch for Generic Exception. Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
CWE-397: Declaration of Throws for Generic Exception. Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
OWASP-ASVS v4.0.1 V4.1 General Access Control Design.(4.1.5) Verify that access controls fail securely including when an exception occurs.
OWASP-ASVS v4.0.1 V7.4 Error Handling.(7.4.2) Verify that exception handling (or a functional equivalent) is used across the codebase to account for expected and unexpected error conditions.
Start with Fluid Attacks
We are a proud corporate member of the OWASP Foundation