Majority response status codes 5XX

firetail:majority-status-code-500

Type:

Detection

Rule Severity:

Info

Over half of an API's response status codes over a given time period were in the 5XX range.

A large majority of 5XX responses can be an indicator of malicious activity. Under normal operations a web service should not be encountering errors. A majority of requests receiving 5XX responses means that the service is broken and someone may be trying to induce the errors on purpose.

Remediation

Investigate the API to verify if it should be returning a majority of responses with 5XX status codes.

Example Attack Scenario

An attacker who finds an endpoint that responds with a 5XX request may start probing that endpoint further to try and extract more information about  the cause for the error and the system or to induce a fatal crash.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
Missing 500 response
Malformed media type
Average combined header size elevated
Basic Authentication found in logs
Average combined header size reduced
Mailgun secrets found in logs