Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The designer will ensure the application is not subject to error handling vulnerabilities.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6166 | APP3120 | SV-6166r1_rule | DCSQ-1 | Medium |
| Description |
|---|
| Unhandled exceptions leaves users with no means to properly respond to errors. Mishandled exceptions can transmit information that can be used in future security breaches. Properly handled errors allow applications to follow security procedures and guidelines in an informed manner. If too much information is revealed in the error message, it can be used as the basis for an attack. |
| STIG | Date |
|---|---|
| Application Security and Development STIG | 2014-04-03 |
Details
| Check Text ( C-3042r1_chk ) |
|---|
| Use the error messages generated from APP3510 as input into this check. Ensure that the application provides error handling processes. The application code should not rely on internal system generated error handling. 1) If the errors are not being handled by the application, and are being processed by the underlying internal system, this is a CAT III finding. Inspect the verbiage of the message. Ensure that the application does not provide information that can be used by an attacker. 2) If any of the following types of errors are displayed, this is a CAT II finding. Error messages should not include variable names, variable types, SQL strings, or source code. Errors that contain field names from the screen and a description of what should be in the field should not be considered a finding. |
| Fix Text (F-16994r1_fix) |
|---|
| Add code to properly handle or trap errors. |