NimbostratusWe have an application generating status 500 code, which was defined as illegal http status in response by ASM. By reading some information, it seems that ASM defines 4xx - 5xx all as illegal by default. Is there any reason why? What is the risk to be considered to allow 4xx - 5xx?
Regards.
CirrocumulusIt allows for information leakage. For example, many java stacks will disclose where exactly the error happened when 500 is generated, etc. ASM's goal is to prevent as much information disclosure about the backend as possible. Additionally, exposing that a particular request generates a 500 error may give an attacker an idea about certain attack vector as well.
Nimbostratus
CirrusIt allows for information leakage. For example, many java stacks will disclose where exactly the error happened when 500 is generated, etc. ASM's goal is to prevent as much information disclosure about the backend as possible. Additionally, exposing that a particular request generates a 500 error may give an attacker an idea about certain attack vector as well.
Nimbostratus
CirrocumulusHTTP 500 means one thing - your application has crashed. Leaking this to the Internet is really bad and it can be easily exploited by hackers. This is an OWASP Top 10 Vulnerability, which is especially dangerous if stack traces are shown, as the attacker can use the HTTP 500 error to pinpoint the location of the vulnerability in your application code.
This is a Medium risk level vulnerability, you can read more about it on OWASP Top 10 page here:
https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
Information Leakage Threat:
http://projects.webappsec.org/w/page/13246936/Information%20Leakage
Hope this helps,
Sam
NimbostratusI'm sorry to revive this old thread but the issue is being revisited by our team right now.
Of course leaking sensitive details is a big problem and must be avoided, but that doesn't mean that http status code 5xx are leaking such details.
Applications should be programmed and/or configured to catch unexpected errors and transform them to 5xx responses with some opaque content allowing to refer to the issue in some way so the event can be related to appropriate log entries to be diagnosed and fixed.
But the 5xx status code should reach the client so it can act accordingly.
Otherwise the client is tricked receiving a 200 response with a completely unexpected content which causes lots of headaches.
CirrocumulusI am guessing that by 200 response 'tricking' your client app you mean ASM's default blocking response page and you are probably talking about an AJAX app or a mobile app using REST. The 200 response code for ASM blocking page is just a default setting which you can change - it is not hardcoded. It appears that in your case you should have a customized policy and custom response. For example you can change the response code to 403 which seems to work well with most apps.
MVPsounds like a fair argument, but in the end it will differ per application and rules within a company. F5 ASM chooses to block them with a default profile, but you can change it if you want.
NimbostratusProblem is, our server code correctly informs a 5xx code with a response body having a secure error report which is supposed to be used client side to render a user friendly report with an error id for calling the help desk.
The 5xx has the semantic specifically needed, it's not a server "crash" (it's not a request problem, as a 4xx status code means; it's not a redirect, it's a server side reason for not responding as requested as the HTTP protocol is supposed to report).
The problem is: what should be blocked is insecure content like stack traces with infrastructure details and such, but not blindly breaking the http protocol by replacing a meaningful response with an unexpected, empty, OK response.
Returning a 2xx code in place of a 5xx is particularly harmful because what should have been an error is transformed to a non-error but with unexpected content. This has many unwanted and problematic consequences such as:
Also 403 has other meaning as per the spec.