What are HTTP STATUS CODES

Did you know even a simple "404 Not Found" error code can expose vulnerabilities in your application? Understanding HTTP status codes is a crucial for developers and security professionals. This post will equip you to identify weaknesses, prevent attacks, and build a more secure digital world.

HTTP status codes, which consist of three-digit codes ranging from 100 to 500, communicate the outcome of an HTTP request between a client (such as a web browser) and a server. They provide valuable information about the success or failure of the interaction. By deciphering these codes, you gain valuable insights into application behavior and potential security risks. They are also important for understanding application behavior, identifying misconfigurations, aiding in security testing and debugging, recognizing exploitation indicators, and detecting information disclosure

HTTP status codes are categorized into five groups, each designated by the first digit:

1xx Informational: The request is received and processing continues.

2xx Successful: The request was successful, and the server has what you asked for.

3xx Redirection: Further action is needed to complete the request, such as following a redirect.

4xx Client Error: The request contains an error, such as a missing parameter or a bad request format.

5xx Server Error: The server encountered an error and couldn't complete the request.

Why are HTTP Status codes important?

1. Understanding Application Behavior:

i. 200 OK: Indicates that the request was successful. If an API endpoint returns a 200 OK status with sensitive user information without proper authentication, it might indicate an information disclosure vulnerability

.

ii. 301/302 Redirects: These can be used in detecting open redirect vulnerabilities if user input is not properly sanitized.

iii. 400 Bad Request: This can help identify input validation issues. If the application returns this status code, it may indicate improper handling of user input worthy of further investigation.

iv. 401 Unauthorized / 403 Forbidden: These codes are crucial for understanding authentication and authorization mechanisms. Improperly configured responses can lead to unauthorized access.

v. 404 Not Found: Can be used to enumerate resources. If sensitive endpoints are discovered, it could lead to further exploitation.

vi. 500 Internal Server Error: Indicates server-side issues, which can be exploited through techniques like SQL injection, command injection, or other server-side vulnerabilities.

2. Identifying Misconfigurations:

i. 403 Forbidden: If this status is returned for legitimate requests, it may indicate misconfigured access controls.

ii. 405 Method Not Allowed: Helps in understanding which HTTP methods are allowed. If dangerous methods like PUT or DELETE are enabled, it could lead to security risks.

iii. 429 Too Many Requests: Indicates rate limiting, which is important for preventing brute-force attacks. If an application does not return a 429 Too Many Requests status after multiple failed login attempts, it indicates that rate limiting is not implemented, making the application vulnerable to brute-force attacks.

3. Security Testing and Debugging:

i. 400-499 Client Errors: Helps in identifying potential client-side issues and how the server handles erroneous input.

ii. 500-599 Server Errors: These are critical for debugging server-side issues. Frequent 500 errors can indicate underlying vulnerabilities that need to be addressed.

4. Exploitation Indicators:

i. 401 Unauthorized: Repeated 401 responses can indicate brute-force attempts or credential stuffing attacks.

ii. 403 Forbidden: Can be used to test for access control bypass techniques.

iii. 500 Internal Server Error: Often indicates unhandled exceptions, which can be exploited through various injection attacks.

5. Information Disclosure:

i. Verbose Error Messages: Sometimes, status codes like 500 come with detailed error messages that can reveal stack traces, database errors, or other sensitive information.

ii. Custom Status Codes: Applications might use custom status codes that can leak information about the backend architecture or logic.

The next time you see an HTTP status code, take a moment to understand its message. This knowledge is your weapon to build secure applications.

Note: If you receive a response that is not in this list, it is a non-standard response, possibly custom to the server's software. For example, the popular web framework Ruby on Rails returns a 422 Unprocessable Entity response when a request is well-formed but cannot be processed due to semantic errors.

Want to deep dive? Please visit Mozilla Web Docs https://developer.mozilla.org/en-US/docs/Web/HTTP/Status for more