|
|
|
|
CWE-390 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Draft 390 (Weakness Class) | | Description | Summary Sometimes an error is detected, and bad or no action is taken. | | Likelihood of Exploit | Medium | | Potential Mitigations | Implementation: Properly handle each exception. This is the recommended solution.
Ensure that all exceptions are handled in such a way that you can be sure of the state of your
system at any given moment. Subject the software to extensive testing to discover some of the possible instances
of where/how errors or return values are not handled. Consider testing techniques such as ad
hoc, equivalence partitioning, robustness and fault tolerance, mutation, and
fuzzing. | Demonstrative
Examples | C Example: foo=malloc(sizeof(char); //the next line checks to see if malloc failed
if (foo==0) {
//We do nothing so we just ignore the error.
} C++ Example: while (DoSomething()) {
try {
/* perform main loop here */
}
catch (Exception e) {
/* do nothing, but catch so it'll compile... */
}
} Java Example: while (DoSomething()) {
try {
/* perform main loop here */
}
catch (Exception e) {
/* do nothing, but catch so it'll compile... */
}
} | | Context Notes | If a function returns an error, it is important to either fix the problem and try
again, alert the user that an error has happened and let the program continue, or alert the user
and close and cleanup the program. | | Relationships | | | Source Taxonomies | CLASP - Improper error handling | | Applicable Platforms | All | | Related Attack Patterns | | CAPEC-ID | Attack Pattern Name |
|---|
| 83 | XPath Injection | | 66 | SQL Injection | | 7 | Blind SQL Injection |
|
|
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated
