CWE-600 Servlet中未捕获的异常
Uncaught Exception in Servlet
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: unkown
基本描述
The Servlet does not catch all exceptions, which may reveal sensitive debugging information.
扩展描述
When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 248 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: CanPrecede cwe_CWE_ID: 209 cwe_View_ID: 1000
-
cwe_Nature: PeerOf cwe_CWE_ID: 390 cwe_View_ID: 1000
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Confidentiality', 'Availability'] | ['Read Application Data', 'DoS: Crash, Exit, or Restart'] |
可能的缓解方案
Implementation
策略:
Implement Exception blocks to handle all types of Exceptions.
示例代码
例
In the following method a DNS lookup failure will cause the Servlet to throw an exception.
bad Java
InetAddress addr = InetAddress.getByName(ip);
...
out.println("hello " + addr.getHostName());
Notes
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| The CERT Oracle Secure Coding Standard for Java (2011) | ERR01-J | Do not allow exceptions to expose sensitive information | |
| Software Fault Patterns | SFP4 | Unchecked Status Condition |