# Error Handling

Attackers often intentionally cause errors in order to use their error messages to gather information about the application. This information can be used to exploit vulnerabilities.

A05:2021

# Background

# Context

An error is caused by a fault and leads to the failure of the system if the error has an influence on the service or reaches its surface. Therefore, error handling is required, that removes errors from the current state of the system.

# Problems

  • Error handler are not holistic → Errors, maybe containing stack traces, could reach the surface
  • Error messages contain too much information (for example "Password '123' is already used by user 'Alice'")
  • Errors custom to web application → Requires developers to implement it themselves

# Solutions

  • Global error handler with generic error message

# Technologies

Error handlers could be found in all reviewed programming languages and frameworks.

However, no available solution offers any Security By Default but only supports developers in catching errors.

DANGER

High potential for mistakes!

Last Updated: 7/3/2022, 3:51:46 PM