CWE-600 Servlet中未捕获的异常

  • A+
所属分类:CWE(弱点枚举)

CWE-600 Servlet中未捕获的异常

Uncaught Exception in Servlet

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

扩展描述

When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 248 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: CanPrecede cwe_CWE_ID: 209 cwe_View_ID: 1000

  • cwe_Nature: PeerOf cwe_CWE_ID: 390 cwe_View_ID: 1000

常见的影响

范围 影响 注释
['Confidentiality', 'Availability'] ['Read Application Data', 'DoS: Crash, Exit, or Restart']

可能的缓解方案

Implementation

策略:

Implement Exception blocks to handle all types of Exceptions.

示例代码

In the following method a DNS lookup failure will cause the Servlet to throw an exception.

bad Java

protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {

String ip = req.getRemoteAddr();
InetAddress addr = InetAddress.getByName(ip);
...
out.println("hello " + addr.getHostName());

}

Notes

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
The CERT Oracle Secure Coding Standard for Java (2011) ERR01-J Do not allow exceptions to expose sensitive information
Software Fault Patterns SFP4 Unchecked Status Condition

文章来源于互联网:scap中文网

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: