The designer will ensure the application is not subject to error handling vulnerabilities.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6166	APP3120	SV-6166r1_rule	DCSQ-1	Medium

Description
Unhandled exceptions leaves users with no means to properly respond to errors. Mishandled exceptions can transmit information that can be used in future security breaches. Properly handled errors allow applications to follow security procedures and guidelines in an informed manner. If too much information is revealed in the error message, it can be used as the basis for an attack.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-3042r1_chk )
Use the error messages generated from APP3510 as input into this check. Ensure that the application provides error handling processes. The application code should not rely on internal system generated error handling. 1) If the errors are not being handled by the application, and are being processed by the underlying internal system, this is a CAT III finding. Inspect the verbiage of the message. Ensure that the application does not provide information that can be used by an attacker. 2) If any of the following types of errors are displayed, this is a CAT II finding. Error messages should not include variable names, variable types, SQL strings, or source code. Errors that contain field names from the screen and a description of what should be in the field should not be considered a finding.

Check Text ( C-3042r1_chk )

Use the error messages generated from APP3510 as input into this check. Ensure that the application provides error handling processes. The application code should not rely on internal system generated error handling.

1) If the errors are not being handled by the application, and are being processed by the underlying internal system, this is a CAT III finding.

Inspect the verbiage of the message. Ensure that the application does not provide information that can be used by an attacker.

2) If any of the following types of errors are displayed, this is a CAT II finding.

Error messages should not include variable names, variable types, SQL strings, or source code. Errors that contain field names from the screen and a description of what should be in the field should not be considered a finding.

Fix Text (F-16994r1_fix)
Add code to properly handle or trap errors.