Build cyber prowess with training from renowned experts

Multiple training options to best fit your schedule and preferred learning style

Hands-On Simulations

Hands-on learning exercises keep you at the top of your cyber game

Training Events & Summits

Expert-led training at locations around the world

Demonstrate cybersecurity expertise with GIAC certifications

Free Training Events

Upcoming workshops, webinars and local events

Workforce Security and Risk Training

Harden enterprise security with end-user and role-based training

Explore common cyber career paths and the training that aligns with each

Featured CourseView All Courses

SEC504: Hacker Tools, Techniques, and Incident Handling

SEC504Offensive Operations

SEC504: Hacker Tools, Techniques, and Incident Handling

View course details Register

Get a free hour of SANS training

Experience SANS training through course previews.

Chart your path to job-specific training courses

Give your cybersecurity career the right foundation for success

Find the courses and certifications that align with our current or desired role

Training designed to help security leaders reduce organizational risk

By Skills Framework

Explore how SANS courses align with leading cybersecurity skills frameworks including NICE, ECSF and DoD 8140

Degree and Certificate Programs

Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

By Skills Roadmap

Find the right training path based on critical skills

FeaturedView all Focus Areas

Cloud Security Training

Can't find what you are looking for?

Let us help.

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

For Organizations

Mission-focused cybersecurity training for government, defense, and education

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Talk with an expert

Talk with an expert

Top 25 Series - Rank 15 - Improper Check for Unusual or Exceptional Conditions

Mar 15 2010

Authored byFrank Kim

Frank Kim

CWE-754 happens when "software does not check or improperly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software." [1]

Take the following snippet of Java code as an example:

private static final int ROLE_ADMIN = 0;
private static final int ROLE_USER = 1;
private static final int ROLE_GUEST = 2;

public static final int getRole() {
    String s = lookupRoleInDatabase();
    int role = 0;

    try {
        role = Integer.valueOf(s);
    } catch (NumberFormatException e) {
        // this shouldn't happen
    }
    return role;
}

In this case the developer does not expect a NumberFormatException to occur and simply swallows the Exception. This has the nasty side effect of granting admin access because the role variable has a default value of zero (i.e. ADMIN) and this default value is returned if a NumberFormatException is thrown.

Always check and handle exceptional conditions and always perform validation on inputs (even if they come from the database). Also, keep in mind that unusual or exceptional conditions aren't just related to exception handling. Ignoring return values can also lead to incorrect behavior [2].

http://cwe.mitre.org/top25/#CWE-754
See examples at http://cwe.mitre.org/data/definitions/754.html

Meet the expert

Frank Kim

Fellow

Frank Kim is the Founder of ThinkSec, a security consulting and CISO advisory firm. He leads the Cybersecurity Leadership and Cloud Security curricula at SANS, as well as authors and instructs multiple SANS courses.

Read more about Frank Kim

SANS Institute | Top 25 Series - Rank 15 - Improper Check for Unusual or Exceptional Conditions | SANS Institute