Findings
Majority Response Status Codes 5XX
Updated: June 19, 2025
Description
Over half of an API's response status codes over a given time period were in the 5XX range.
A large majority of 5XX responses can be an indicator of malicious activity. Under normal operations a web service should not be encountering errors. A majority of requests receiving 5XX responses means that the service is broken and someone may be trying to induce the errors on purpose.
Example Attack
An attacker who finds an endpoint that responds with a 5XX request may start probing that endpoint further to try and extract more information about the cause for the error and the system or to induce a fatal crash.
Remediation
Investigate the API to verify if it should be returning a majority of responses with 5XX status codes.
Security Frameworks
CIS-ASG-2.3.2: CIS 2.3.2: Establish standardized error handling procedures
Put in place a consistent procedure to handle errors.
Rationale
Establishing standardized error handling procedures ensures consistency across the API, providing a uniform approach to managing and communicating errors. This improves the clarity and usefulness of error messages for developers and users, enhancing overall user experience. It also prevents revealing sensitive information that could help attackers.
Remediation
- Improve the clarity of error messages.
- Establish guidelines for handling errors.
- Enforce HTTP return status compliance.
- Update the documentation accordingly.
Audit
- Review the documentation by inspecting the existing error format that is in place.
- Identify potential disclosure of internal system information in error messages.
- Assess all existing error message quality - is it comprehensive, does it correctly communicate the error.
- Verify HTTP standards compliance, for example 404 error should be used for non-existing resources, 401/403 error codes should be used for unauthorized access and so on.