Reino: Environment

Esta sección incluye todo lo que está fuera del código fuente pero aun así es importante para la seguridad del producto que se está creando. Dado que todas las cuestiones incluidas en esta sección no están directamente relacionadas con el código fuente, las hemos separado de las demás secciones.

Struts Misconfiguration: Missing Exception Type

Java/JSP

Abstract

Las etiquetas <exception> que no contengan un atributo type no se utilizarán.

Explanation

La etiqueta <exception> requiere que se defina un tipo de excepción. La ausencia de un atributo type o que esté vacío indica un controlador de excepciones superfluo o una omisión accidental. Si un desarrollador tenía la intención de controlar una excepción, pero olvidó definir el tipo de excepción, entonces la aplicación podría filtrar información confidencial sobre el sistema.
Ejemplo 1: La siguiente configuración omite el tipo de la etiqueta <exception>.


  <global-exceptions>
    <exception
      key="error.key"
      handler="com.mybank.ExceptionHandler"/>
  </global-exceptions>

References

[1] Apache Struts Specification

[2] Standards Mapping - Common Weakness Enumeration CWE ID 248

[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[5] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling

[6] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[7] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[8] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II

desc.config.java.struts_misconfiguration_missing_exception_type