Are You Properly Handling Java Exceptions?
Proper exception handling is a very important part of development as improper handling can introduce an application to security vulnerabilities. Java exceptions can indicate programming logic errors or possible hacking attempts that are being used to determine the application footprint. When an exception occurs, detailed information is returned to the calling program or browser and can be sensitive and include the application’s stack trace. Revealing this information to the end user can result in frustration as they are not shown a meaningful message. In the hands of an attacker, the detailed technical specifications revealed by the unhandled exception is another means of probing the environment to gain a foothold.
There is a great deal of guidance regarding error and exception handling including several OWASP guides such as OWASP Top Ten Proactive Controls 2.0, OWASP Code Review Guide, OWASP Testing Guide 4.0 and an article on Improper Error Handling. The book Iron-Clad Java also covers the topic.
BrixBits Security Analyzer can help to identify these exception handling errors by generating events for all Java exceptions. The event details include the URL, client source information along with the stack trace. This information can provide additional time to correct the issue if discovered during development or testing or can provide added insight if detected during production.