Lack of DefaultFaultRule

Severity
Medium
Applies to
Target Proxy
Links
CWE-390

Why This Issue Is Important

A lack of a DefaultFaultRule means that when unexpected errors or exceptions occur, they won't be handled properly. This can lead to information leakage, unintended behavior, or disruption in service availability. Proper fault handling is crucial for maintaining system stability, security, and providing meaningful feedback to clients when errors occur.

How This Issue Is Detected

The issue is detected by analyzing the configuration of fault rules in the API proxy. The tool checks for the presence of a DefaultFaultRule or an equivalent unconditional fault rule. If no such rule is found, the issue is flagged as there is no fallback mechanism to handle unexpected errors.

How to Fix the Issue

Add a DefaultFaultRule to the API proxy configuration. This rule should handle all faults that are not caught by other specific fault rules. Here’s an example configuration:

<DefaultFaultRule name="DefaultFault">
    <Step>
        <Name>Assign-Message-503</Name>
    </Step>
    <AlwaysEnforce>true</AlwaysEnforce>
</DefaultFaultRule>