Category: OWASP Top Ten 2004 Category A7 - Improper Error Handling
Obsolete
Summary
Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2004.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-203 | Observable Discrepancy | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
| CWE-209 | Generation of Error Message Containing Sensitive Information | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-228 | Improper Handling of Syntactically Invalid Structure | The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification. |
| CWE-252 | Unchecked Return Value | The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. |
| CWE-390 | Detection of Error Condition Without Action | The product detects a specific error, but takes no actions to handle the error. |
| CWE-391 | Unchecked Error Condition | [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed. |
| CWE-394 | Unexpected Status Code or Return Value | The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product. |
| CWE-636 | Not Failing Securely ('Failing Open') | When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. |
| CWE-7 | J2EE Misconfiguration: Missing Custom Error Page | The default error page of a web application should not display sensitive information about the product. |
| CWE-711 | Weaknesses in OWASP Top Ten (2004) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| CWE-389 | Error Conditions, Return Values, Status Codes | This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.