Error Handling / Improper Error Handling
Improper Error Handling is a vulnerability in Web and API applications which can allow attackers to gain access to sensitive and confidential data by exploiting errors that occur in the application. This vulnerability is classified in the Common Weakness Enumeration (CWE) directory under CWE-209. According to the OWASP Testing Guide, this vulnerability can be exploited by attackers to gain access to restricted functions and data, to tamper with data, to conduct denial of service attacks, or to bypass authentication.
Improper Error Handling can lead to a wide range of security risks, including disclosure of sensitive data, unauthorized access to restricted functions, data tampering, denial of service attacks, and bypass of authentication. This vulnerability can also lead to loss of confidential data, reputational damage, and financial losses.
Improper error handling can allow attackers to:
- Understand the APIs being used internally.
- Map the various services integrating with each other by gaining insight on internal systems and frameworks used, which opens up doors to attack chaining.
- Gather the versions and types of applications being used.
- DoS the system by forcing the system into a deadlock or an unhandled exception that sends a panic signal to the engine running it. -Controls bypass where a certain exception is not restricted by the logic set around the happy path.
Organizations should ensure proper error handling by validating user input and ensuring that errors are handled securely. Applications should also log errors in a secure manner and use secure coding practices to prevent attackers from gaining access to sensitive data or restricted functions.