AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Generic Exception Catch Block

Hiding specific exceptions may allow hackers actions go unnoticed when they send unexpected requests to a target application

Severity

Low

Fix Cost

Medium

Trust Level

High

In order not to think too much about the handling of specific exceptions we, developers, have an inclination towards writing overly broad exception handlers such as below code snippet;

            
try
{
processFile();
}
catch(Exception e)
{
logger.Error(e, “A file process exception occurred”, null);
}
                 
            

There are more than one exception that can be thrown at runtime running the above code;

  • FileNotFoundException
  • FileFormatException
  • DirectoryNotFoundException
  • DriveNotFoundException

However, there’s only one action when they occur. On the other hand, the fail safe actions that should be taken might differ from exception type to the other.

Thinking on handling and catching specific exceptions might allow us to catch an unusual behaviour and possibly catch a prospective attacker.

In order not to think too much about the handling of specific exceptions we, developers, have an inclination towards writing overly broad exception handlers such as below code snippet;

                           
try
{
processFile();
}
catch(Exception e)
{
LOGGER.log(Level.SEVERE, “File process exception occurred”, e);
}
                 
            

There are more than one exception that can be thrown at runtime running the above code;

  • FileNotFoundException
  • FileSystemException
  • NotDirectoryException

However, there’s only one action when they occur. On the other hand, the fail safe actions that should be taken might differ from exception type to the other.

Thinking on handling and catching specific exceptions might allow us to catch an unusual behaviour and possibly catch a prospective attacker.

In order not to think too much about the handling of specific exceptions we, developers, have an inclination towards writing overly broad exception handlers such as below code snippet;

                           
try
{
processFile();
}
catch(Exception e)
{
LOGGER.log(Level.SEVERE, “File process exception occurred”, e);
}
                 
            

There are more than one exception that can be thrown at runtime running the above code;

  • FileNotFoundException
  • FileSystemException
  • NotDirectoryException

However, there’s only one action when they occur. On the other hand, the fail safe actions that should be taken might differ from exception type to the other.

Thinking on handling and catching specific exceptions might allow us to catch an unusual behaviour and possibly catch a prospective attacker.

Every class extends java.lang.Object and inherits java.lang.Object.equals default implementation. java.lang..Object.Equals compares two objects equality by checking if these two objects are the same instances. This comparison semantic might not be the intended equality check for custom classes’ instances.

            
CustomClass object1 = new CustomClass(“bob”, 34);
CustomClass object2 = new CustomClass(“bob”, 34);

if(object1.equals(object2))
{
// according to default equals imp. Code never gets here
}
                
            

Given the above code, if CustomClass doesn’t override the equals method, the equality check will fail. However, the intended semantic might tell that they are equal because of the same first name and age.

Every class extends java.lang.Object and inherits java.lang.Object.equals default implementation. java.lang..Object.Equals compares two objects equality by checking if these two objects are the same instances. This comparison semantic might not be the intended equality check for custom classes’ instances.

            
CustomClass object1 = new CustomClass(“bob”, 34);
CustomClass object2 = new CustomClass(“bob”, 34);

if(object1.equals(object2))
{
// according to default equals imp. Code never gets here
}
                
            

Given the above code, if CustomClass doesn’t override the equals method, the equality check will fail. However, the intended semantic might tell that they are equal because of the same first name and age.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!