Majority response status codes 4XX

firetail:majority-status-code-400

Type:

Detection

Rule Severity:

Info

Over half of an API's response status codes over a given time period were in the 4XX range.

A large majority of 4XX responses can be an indicator of malicious activity. Under normal operations it is common for some requests to be made incorrectly or without proper authenticatkion. A majority of requests receiving 4XX responses means that the service is being misused or abused.

Remediation

Investigate the API to verify if it should be returning a majority of responses with 4XX status codes.

Example Attack Scenario

An attacker can try to log in with a large number of username and passwords that leaked in some unrelated incident. This is called credential stuffing and it will generate a large number of failed requests.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
POST based url-encoded query (possible CSRF)
Response violates schema
Average execution time elevated
Plaintext API key
AWS ALB is missing WAF
Majority response status codes 1XX