Error Handling has always been crucial for an application in a number of ways. It may affect the execution state of the application, or expose sensitive information to a user.If the error handling is not strong,it may aid the attacker, as the errors returned may assist them in constructing correct attack factors.
An important part of secure application development is to prevent leakage of superfluous information to end user. Error messages if not proper, may give an attacker great insight into the inner workings of an application.
What are Exceptions :
Moving on to the definition,Exceptions are basically the unforeseen errors that happen in our programs. Most of the time, one can, and should, detect and handle application errors in the code. For example, validate user input data, check for null objects,verify the values returned from methods are what one expect, are all examples of good standard error handling that one should be taking care of all the time.
Handling the Anomalies :
Tracing and handling of execution time errors is one of the most crucial tasks ahead of any programmer. But, before discussing the same, let’s look at compile time errors, which are errors that occur during compilation of application. They may cause due to bad coding, misspelling of syntaxes, and so on.
On the other hand, runtime errors occur at the time the program executes and can’t be corrected. A developer can, however, take preventive measures while coding the program. To do so, he should first identify these two aspects:
- Discover the parts of a program that are most likely to emit errors at execution time.
- Handle those errors according to the language conventions.
When an exception occurs the program flow for the executing method is interrupted. If the exception is not handled explicitly, the method exits and the exception is escalated to the calling function. This calling function has the opportunity to handle that error. The process continues until the exception is handled by the application or it reaches the Language’s runtime system.
An unhandled exception that reaches the Language’s runtime system causes the immediate, abnormal termination of the program. This can be a problem as the exception is reported to the end user in form of a message or dialog box containing standard information and technical details that may be misunderstood. During debugging this may be useful but in a production system it is generally considered unacceptable. It can also permit the user to attempt to continue to run a program that, due to errors, has become unstable.
A generic custom error page for most errors is recommended. This approach makes it more difficult for attackers to identify signatures of potentially successful attacks. There are methods which can circumvent systems with leading error handling practices which should be kept in mind; Attacks like SQL injection can be used to address such generic responses.
The other key area relating to error handling is the premise of “fail securely”. Errors induced should not leave the application in an insecure state. Resources should be locked down and released, sessions terminated (if required), and calculations or business logic should be halted (depending on the type of error, of course).
“The purpose of reviewing the Error Handling code is to assure that the application fails safely under all possible error conditions, expected and unexpected. No sensitive information is presented to the user when an error occurs.”
Right Approach :
This content focusses more on technical feasibility and implementation of the same, we see here how the points discussed above are disguised in the form of code and learn how to implement these points practically in our application.
The Building Blocks :
In .NET a System.Exception object exists. Mostly used child objects such as ApplicationException and SystemException are used. It’s not recommended that one throws or catches a SystemException as that is thrown by CLR automatically..
When an error occurs, the system or the currently executing application reports it by throwing an exception containing information about the error. Once exception thrown, it is handled by the application or by the default exception handler. This Exception object contains methods such as:
- StackTrace of Exception,
- Source of Exception,
- Message in Exception,
- InnerException of that object.
In .NET we need to look at the error handling strategy from the point of view of global error handling and handling of unexpected errors.
To avoid program to crash, the exceptions must be caught using a try-catch statement. And last but not the least, the Finally block.
As the last clause in the try-catch statement a finally block can also be added. This block is used to clean up all the resources allocated in the try block and will always execute whether there is an exception or not.