Exception Handling Vulnerabilities
npx machina-cli add skill allsmog/vuln-scout/exception-handling --openclawFiles (1)
SKILL.md
10.3 KB
Exception Handling Vulnerabilities (OWASP A10)
Purpose
Provide detection patterns for vulnerabilities related to improper exception and error handling, including XXE (XML External Entity) injection, stack trace disclosure, and authentication bypass via exceptions.
OWASP 2025 Mapping
Category: A10 - Mishandling of Exceptional Conditions
CWEs:
- CWE-390: Detection of Error Condition Without Action
- CWE-392: Missing Report of Error Condition
- CWE-460: Improper Cleanup on Thrown Exception
- CWE-611: Improper Restriction of XML External Entity Reference (XXE)
- CWE-755: Improper Handling of Exceptional Conditions
When to Use
Activate this skill when:
- Searching for XML parsing vulnerabilities
- Reviewing error handling code
- Looking for information disclosure via exceptions
- Finding authentication/authorization bypass via exception paths
XXE (XML External Entity) Injection
Overview
XXE occurs when XML parsers process external entity references in untrusted XML input, allowing attackers to read files, perform SSRF, or cause DoS.
Detection Patterns
Java
# Vulnerable XML parsers
grep -rniE "DocumentBuilderFactory|SAXParserFactory|XMLInputFactory|TransformerFactory|SchemaFactory|XMLReader" --include="*.java"
# Check for disabled external entities (SAFE patterns)
grep -rniE "setFeature.*FEATURE_SECURE_PROCESSING|setFeature.*disallow-doctype-decl|setExpandEntityReferences.*false" --include="*.java"
Vulnerable Pattern:
// VULNERABLE: Default parser allows XXE
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(userInputStream); // XXE possible
Secure Pattern:
// SAFE: External entities disabled
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
Python
# Vulnerable XML parsers
grep -rniE "xml\.etree\.ElementTree|xml\.dom\.minidom|xml\.sax|lxml\.etree" --include="*.py"
# Check for defusedxml (SAFE)
grep -rniE "defusedxml|defused" --include="*.py"
Vulnerable Pattern:
# VULNERABLE: Standard library allows XXE
import xml.etree.ElementTree as ET
tree = ET.parse(user_input) # XXE possible
Secure Pattern:
# SAFE: Use defusedxml
import defusedxml.ElementTree as ET
tree = ET.parse(user_input) # XXE blocked
PHP
# Vulnerable XML functions
grep -rniE "simplexml_load|DOMDocument|XMLReader|SimpleXMLElement" --include="*.php"
# Check for entity loader disabled (SAFE)
grep -rniE "libxml_disable_entity_loader|LIBXML_NOENT" --include="*.php"
Vulnerable Pattern:
// VULNERABLE: External entities enabled
$xml = simplexml_load_string($userInput); // XXE possible
Secure Pattern:
// SAFE: Disable external entities (PHP < 8.0)
libxml_disable_entity_loader(true);
$xml = simplexml_load_string($userInput, 'SimpleXMLElement', LIBXML_NOENT);
Go
# XML parsing
grep -rniE "xml\.Unmarshal|xml\.Decoder|xml\.NewDecoder" --include="*.go"
Note: Go's encoding/xml does not process external entities by default, making it safe from XXE. However, third-party libraries may be vulnerable.
TypeScript/JavaScript
# XML parsing libraries
grep -rniE "xml2js|fast-xml-parser|libxmljs|DOMParser|parseFromString" --include="*.ts" --include="*.js"
Vulnerable Pattern:
// VULNERABLE: Some libraries allow XXE
const parser = new DOMParser();
const doc = parser.parseFromString(userInput, "text/xml");
Stack Trace / Error Disclosure
Overview
Exposing stack traces or detailed error messages to users reveals internal paths, library versions, and application structure.
Detection Patterns
Java
# Stack trace printing
grep -rniE "printStackTrace|getStackTrace|\.getMessage\(\)" --include="*.java"
# Exposed to response
grep -rniE "response\.getWriter\(\).*exception|sendError.*getMessage" --include="*.java"
Vulnerable Pattern:
// VULNERABLE: Stack trace sent to user
catch (Exception e) {
response.getWriter().println(e.getMessage());
e.printStackTrace(response.getWriter());
}
Python
# Traceback exposure
grep -rniE "traceback\.print_exc|traceback\.format_exc|sys\.exc_info" --include="*.py"
# Debug mode
grep -rniE "DEBUG.*=.*True|app\.debug.*=.*True" --include="*.py"
Vulnerable Pattern:
# VULNERABLE: Traceback in response
except Exception as e:
return jsonify({"error": traceback.format_exc()}) # Exposes internals
PHP
# Error display
grep -rniE "display_errors|error_reporting|var_dump|print_r" --include="*.php"
Vulnerable Pattern:
// VULNERABLE: Errors displayed to users
ini_set('display_errors', 1);
error_reporting(E_ALL);
Go
# Stack trace functions
grep -rniE "debug\.PrintStack|runtime\.Stack|debug\.Stack" --include="*.go"
# Error exposure
grep -rniE "http\.Error.*err\.Error\(\)|json\..*err\.Error\(\)" --include="*.go"
Vulnerable Pattern:
// VULNERABLE: Internal error exposed
if err != nil {
http.Error(w, err.Error(), 500) // May leak internal paths
}
TypeScript
# Stack exposure
grep -rniE "\.stack|Error\(\)\.stack|console\.error" --include="*.ts"
Empty Catch Blocks
Overview
Empty catch blocks silently swallow exceptions, potentially hiding security failures or allowing bypasses.
Detection Patterns
# Java - Empty catch
grep -rniE "catch\s*\([^)]+\)\s*\{\s*\}" --include="*.java"
# Python - pass in except
grep -rniE "except.*:\s*pass" --include="*.py"
# PHP - empty catch
grep -rniE "catch\s*\([^)]+\)\s*\{\s*\}" --include="*.php"
# TypeScript - empty catch
grep -rniE "catch\s*\([^)]*\)\s*\{\s*\}" --include="*.ts"
Vulnerable Pattern:
// VULNERABLE: Authentication failure silently ignored
try {
authenticateUser(token);
} catch (AuthenticationException e) {
// Empty - user proceeds as authenticated!
}
Exception-Based Authentication Bypass
Overview
When authentication/authorization logic is inside try blocks, exceptions may allow bypass.
Detection Patterns
# Auth in try blocks
grep -rniE "try.*\{[^}]*(authenticate|authorize|checkPermission|isAdmin)" --include="*.java" --include="*.py" --include="*.go" --include="*.ts" --include="*.php"
# Catch blocks that continue execution
grep -rniE "catch.*\{[^}]*(continue|return true|return null)" --include="*.java"
Vulnerable Pattern:
// VULNERABLE: Exception allows bypass
boolean isAuthorized = false;
try {
isAuthorized = authService.checkPermission(user, resource);
} catch (Exception e) {
// Exception occurs, isAuthorized stays false... or does it?
log.error("Auth check failed", e);
}
// If exception + isAuthorized not checked properly = bypass
Resource Exhaustion via Exceptions
Overview
Repeated exception generation can exhaust resources (CPU, memory, logs).
Detection Patterns
# Exceptions in loops
grep -rniE "(for|while).*\{[^}]*throw new|try.*\{[^}]*(for|while)" --include="*.java" --include="*.py" --include="*.go"
# Unbounded recursion
grep -rniE "catch.*\{[^}]*throw|except.*raise" --include="*.java" --include="*.py"
Language-Specific Secure Patterns
Java - Safe Exception Handling
// Log internally, return generic message
catch (Exception e) {
logger.error("Operation failed", e); // Internal log with stack
throw new ApiException("An error occurred", 500); // Generic to user
}
Python - Safe Exception Handling
# Log internally, return generic message
except Exception as e:
logger.exception("Operation failed") # Logs full traceback
return jsonify({"error": "An error occurred"}), 500 # Generic to user
Go - Safe Exception Handling
// Wrap errors, don't expose internals
if err != nil {
log.Printf("operation failed: %v", err) // Internal log
http.Error(w, "Internal server error", 500) // Generic to user
}
PHP - Safe Exception Handling
// Production error handling
ini_set('display_errors', 0);
ini_set('log_errors', 1);
error_log($e->getMessage()); // Log internally
echo json_encode(["error" => "An error occurred"]); // Generic to user
TypeScript - Safe Exception Handling
// Sanitize errors before response
catch (error) {
logger.error('Operation failed', { error }); // Internal log
res.status(500).json({ error: 'An error occurred' }); // Generic
}
Verification Steps
- Find XML parsers → Check if external entities are disabled
- Find catch/except blocks → Check if they're empty or expose details
- Find error responses → Check if stack traces or internal errors are included
- Find auth in try blocks → Check exception handling doesn't bypass auth
- Test XXE → Send payload with external entity reference
XXE Test Payloads
<!-- File read -->
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo>&xxe;</foo>
<!-- SSRF -->
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://internal-server/admin">]>
<foo>&xxe;</foo>
<!-- DoS (Billion Laughs) -->
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
]>
<lolz>&lol3;</lolz>
CWE References
| CWE | Name | Description |
|---|---|---|
| CWE-390 | Detection Without Action | Exception caught but not handled |
| CWE-392 | Missing Report | Exception not logged/reported |
| CWE-460 | Improper Cleanup | Resources not cleaned on exception |
| CWE-611 | XXE | XML parser processes external entities |
| CWE-755 | Improper Handling | Generic exception handling issues |
Source
git clone https://github.com/allsmog/vuln-scout/blob/main/whitebox-pentest/skills/exception-handling/SKILL.mdView on GitHub Overview
This skill detects vulnerabilities related to improper exception and error handling, including XXE, stack trace exposure, and exception-based bypasses. It maps findings to OWASP A10 and relevant CWEs, helping whitebox pentesters identify where errors disclose information or allow unauthorized access.
How This Skill Works
It analyzes source and configuration for exception paths and XXE vulnerabilities by scanning for known vulnerable patterns across languages (Java, Python, PHP, Go, TS/JS). It highlights unsafe code (e.g., enabling external entities) and provides secure alternatives and example patterns from the skill, enabling targeted remediation.
When to Use It
- Searching for XML parsing vulnerabilities
- Reviewing error handling code
- Looking for information disclosure via exceptions
- Finding authentication/authorization bypass via exception paths
- Conducting a targeted whitebox pentest of exception handling weaknesses
Quick Start
- Step 1: Scan for XML parsers and external-entity patterns across codebases
- Step 2: Apply secure configurations to disable DOCTYPE and external entities
- Step 3: Run targeted tests to verify no information disclosure or bypass via exceptions
Best Practices
- List all XML parsers used and verify external entities are disabled
- Enable secure features: disallow DOCTYPE declarations and disable external entities
- Use safe libraries (e.g., defusedxml in Python) and audit third-party XML libraries
- Test error paths to prevent information disclosure via stack traces and messages
- Sanitize and standardize error responses to avoid leaking sensitive data
Example Use Cases
- Java XXE: Default DocumentBuilderFactory with parse(userInput) enables XXE
- Python XXE: xml.etree.ElementTree.parse(user_input) may be vulnerable
- PHP XXE: SimpleXML with external entities enabled
- Go XXE caveat: encoding/xml is safe by default, but check third-party libs
- TypeScript/JavaScript: xml2js, DOMParser, or parseFromString usage can leak data if not secured
Frequently Asked Questions
Add this skill to your agents
