← Benteng/case studies
OWASP A10 · Mishandling of Exceptional ConditionsCWE-703 Improper Check of Exceptional ConditionsHigh

Fail-open auth — the exception that grants access

An auth check that throws on error and is caught into 'allow' silently opens the door.

What happened

OWASP 2025 added 'Mishandling of Exceptional Conditions' as its own category (24 CWEs). The classic instance: an authorization check that talks to a token service, the service errors, the catch block logs and continues, and the request proceeds as if authorized. The system fails open instead of closed.

The code

✕ VulnerableError handling
try {
  const ok = await authz.check(user, resource);
  if (!ok) return deny();
} catch (e) {
  log.warn("authz check failed", e);   // and then... falls through
}
return handle(req);   // reached on ANY error → access granted
✓ FixedError handling
try {
  const ok = await authz.check(user, resource);
  if (!ok) return deny();
} catch (e) {
  log.error("authz check failed — failing closed", e);
  return deny();       // fail CLOSED: an error is a denial, never an allow
}
return handle(req);
→ Detect this class with Web Top 10 (A10 in context)

References

Educational case study. The "vulnerable" snippet is a minimal teaching example, not a working exploit. Benteng · a Palu Gada tool.