Systems that log and monitor HTTP status codes for performance or error tracking might not recognize undocumented status codes, resulting in incomplete or inaccurate monitoring data.
An attacker targets an API endpoint (e.g., /auth/login) that documents responses like 200 OK (success), 401 Unauthorized (invalid credentials), and 429 Too Many Requests (rate-limiting). By sending malformed requests, the attacker triggers an undocumented 499 Client Closed Request response that includes sensitive debugging information, such as stack traces or file paths. This disclosure helps the attacker gather internal details about the server, enabling further exploitation.
