Kingdom: Errors

Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with "API Abuse," there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle.

Poor Error Handling: Program Catches NullReferenceException

C#/VB.NET/ASP.NET

Abstract

It is generally a bad practice to catch NullReferenceException.

Explanation

Programmers typically catch NullReferenceException under three circumstances:

1. The program contains a null-pointer dereference. Catching the resulting exception was easier than fixing the underlying problem.

2. The program explicitly throws a NullReferenceException to signal an error condition.

3. The code is part of a test harness that supplies unexpected input to the classes under test.

Of these three circumstances, only the last is acceptable.

Example: The following code mistakenly catches a NullReferenceException.


  try {
    MysteryMethod();
  }
  catch (NullReferenceException npe) {
  }

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 395

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272

[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SA-15 Development Process and Standards and Tools (P2), SI-11 Error Handling (P2)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SA-15 Development Process and Standards and Tools, SI-11 Error Handling

[6] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling

[7] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

desc.structural.dotnet.poor_error_handling_program_catches_nullreferenceexception