A crash is the result of unexpected or unhandled behaviours. It might be the result of missing input validations, incorrect serializations, or non-allowed operations etc.
An attacker may try to find the code path that leads to the faulty procedure and attempt to execute arbitrary code through potential vulnerabilities.
Crashes may give an attacker valuable information about the system and its internal details. Crashes may also create temporary vulnerabilities or leave unprotected files (e.g. memory dumps) that may be exploited.
To securely addresses exceptions and crashes in the application:
- Catch all the errors and handle them correctly
- Validate the type and the length of all the inputs
- Do not generate logs or throw errors containing personal information
- CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
- CWE-209: Information Exposure Through an Error Message
- CWE-20: Improper Input Validation