Improper error handling

Improper Error Handling

Errors

It is common for web applications to frequently generate error conditions during normal operation.

These errors must be properly handled according to a well thought-out scheme:

  • Provides a meaningful error message to the user.

  • Provides diagnostic information to the site admin.

  • Provides no useful information to an attacker.

Improper Handling

Improper handling of errors could potentially result in detailed internal error messages such as:

  • Stack traces

  • Database dumps

  • Error codes

...being displayed to unknown users or hackers.

Action

Fail Open Errors

Exceptions

Definition: An exception is an event that occurs during the execution of a program, disrupting the normal flow of the program's instructions. Exception handling enables programmers to remove error-handling code from the main line of the program’s execution, simplifying code construction and maintenance. It allows for problematic situations to be processed at multiple levels.

Exception Handling: A programming concept that allows an application to respond to different error states (e.g., network down, database connection failed). Handling exceptions and errors correctly is critical to making your code reliable and secure.

Benefits of Exceptions

  • Centralizes code that deals with exceptional situations.

  • Facilitates bug discovery and resolution in the code.

  • Unified error handling: all .NET Framework classes throw exceptions to handle error cases.

  • Exceptions provide a stack trace that tells you the path the application took until the error occurred.

  • User-defined exceptions can carry any specific information you choose.

Exceptions and Consequences

Unhandled Exceptions

Definition (App): Occurs when the application code does not properly handle exceptions.

Definition (Developer): Occurs when a developer does not anticipate and handle a potential exception.

Example: For example, when you try to open a file on disk, a common problem is that the file may not exist.

Handling Exceptions

try {
// code in which exception might occur
} 

catch (InvalidOperationException) {
// Code to handle the exception
// Must be of class Exception or one that extends it directly or indirectly
} 

catch (SomeOtherException) {
// code that recovers from SomeOtherException
// (or any exception type derived from it)
} 

catch {
// code that recovers from any kind of exception
// when you catch any exception, you usually re-throw
throw;
}

finally {
// code that cleans up any operations started within the try block.
// (Optional) code present here will always be executed
}

Try Block

Define: A try block contains code that requires exception-recovery operations. The cleanup code should be placed in a single finally block, while exception recovery code should be placed in catch blocks. A try block must have at least one catch or finally block.

Catch Block

Define: A catch block contains code executed in response to an exception. If the code in a try block doesn’t produce an exception, the CLR will not execute the code in any of its catch blocks. The catch type must derive from System.Exception or a type that does so directly or indirectly. You can also specify a variable name like catch(Exception e) to access information specific to the exception.

Finally Block

Define: C# provides the finally block, which is guaranteed to execute regardless of whether an exception occurs. If the try block executes without throwing, the finally block executes; if the try block throws an exception, the finally block still executes regardless of whether the exception is caught. This makes the finally block ideal for releasing resources from the corresponding try block. Local variables in a try block cannot be accessed in the corresponding finally block, so variables that must be accessed in both should be declared before the try block. Placing the finally block before a catch block results in a syntax error. A try block does not require a finally block, and sometimes no clean-up is needed. A try block can have no more than one finally block.

Improper Error Handling

Errors It is common for web applications to frequently generate error conditions during normal operation. These errors must be properly handled according to a well thought-out scheme:

  • Provides a meaningful error message to the user.

  • Provides diagnostic information to the site admin.

  • Provides no useful information to an attacker. Improper Handling Improper handling of errors could potentially result in detailed internal error messages such as:

  • Stack traces

  • Database dumps

  • Error codes

...being displayed to unknown users or hackers. Action Fail Open Errors Exceptions Definition: An exception is an event that occurs during the execution of a program, disrupting the normal flow of the program's instructions. Exception handling enables programmers to remove error-handling code from the main line of the program’s execution, simplifying code construction and maintenance. It allows for problematic situations to be processed at multiple levels. Exception Handling: A programming concept that allows an application to respond to different error states (e.g., network down, database connection failed). Handling exceptions and errors correctly is critical to making your code reliable and secure. Benefits of Exceptions

  • The ability to keep code that deals with exceptional situations in a central place.

  • The ability to locate and fix bugs in the code.

  • Unified error handling: all .NET Framework classes throw exceptions to handle error cases.

  • Exceptions also include a stack trace that tells you the path application took until the error occurred.

  • You can also put any information you want in a userdefined exception of your own. Exceptions and Consequences Unhandled Exceptions: Definition (App): Occurs when the application code does not properly handle exceptions. Definition (Developer): Occurs when a developer does not anticipate and handle a potential exception. Example: For example, When you try to open a file on disk, it is a common problem for the file to not exist. Handling Exceptions

t°e {
// includes code in which exception might occur
} 

catch (InvalidOperationException) {
//Code to handle the exception
//Must be of class Exception or one that extends it directly or indirectly
} 

catch (SomeOtherException) {
// code that recovers from an SomeOtherException
// (or any exception type derived from it)
} 

catch {
// code that recovers from any kind of exception
// when you catch any exception, you usually re-throw
throw;
}

finally {
// code that cleans up any operations started within the try block.
// (Optional) code present here will always be executed
}

Try Block

Define: A try block contains code that requires common cleanup or exception-recovery operations. The cleanup code should be put in a single finally block. The exception recovery code should be put in one or more catch blocks. Create one catch block for each kind of type you want to handle. A try block must have at least one catch or finally block.

Catch Block

Define: A catch block contains code to execute in response to an exception. If the code in a try block doesn’t cause an exception to be thrown, the CLR will never execute the code in any of its catch blocks. The catch type must be of type System.Exception or a type that derived from System.Exception. You can also specify a variable name like catch(Exception e) to access information specific to the exception.

Finally Block

Define: C# provides the finally block, which is guaranteed to execute regardless of whether an exception occurs. If the try block executes without throwing, the finally block executes. If the try block throws an exception, the finally block still executes regardless of whether the exception is caught. This makes the finally block ideal to release resources from the corresponding try block. Local variables in a try block cannot be accessed in the corresponding finally block, so variables that must be accessed in both should be declared before the try block. Placing the finally block before a catch block is a syntax error. A try block does not require a finally block, sometimes no clean-up is needed. A try block can have no more than one finally block.