359 – Avoid using generic exceptions

Summary

The system should use typified exceptions instead of generic exceptions.

Description

Catching generic exceptions obscures the problem that caused the error and promotes a generic way to handle different categories or sources of error. This may cause security vulnerabilities to materialize, as some special flows go unnoticed.

Supported In

Advanced: True

References

• CWE-396. Declaration of catch for generic exception
• CWE-397. Declaration of throws for generic exception
• CERTJ-ERR01-J. Do not allow exceptions to expose sensitive information
• CMMC-SC_L2-3_13_6. Network communication by exception
• ISSAF-U_15. Web application SQL injections – Countermeasures
• CWE25-476. NULL pointer dereference
• ASVS-4_1_5. General access control design
• CASA-4_1_5. General Access Control Design
• SANS25-12. NULL pointer dereference

Weaknesses

• 140 – Insecure exceptions - Empty or no catch
• 278 – Insecure exceptions - NullPointerException

Last updated

2024/02/05